{"id":"CVE-2019-19221","details":"In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.","modified":"2026-03-15T14:34:26.646249Z","published":"2019-11-21T23:15:13.887Z","related":["ALSA-2020:4443","MGASA-2020-0127","SUSE-SU-2021:3722-1","openSUSE-SU-2024:10925-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RHFV25AVTASTWZRF3KTSL357AQ6TYHM4/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/04/msg00020.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html"},{"type":"REPORT","url":"https://github.com/libarchive/libarchive/issues/1276"},{"type":"FIX","url":"https://usn.ubuntu.com/4293-1/"},{"type":"FIX","url":"https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libarchive/libarchive","events":[{"introduced":"0"},{"last_affected":"614110e76d9dbb9ed3e159a71cbd75fa3b23efe3"},{"fixed":"22b1db9d46654afc6f0c28f90af8cdc84a199f41"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.4.0"}]}}],"versions":["v2.6.0","v2.6.1","v2.6.2","v2.7.0","v2.7.1","v2.8.0","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v3.0.0a","v3.0.1b","v3.0.2","v3.0.3","v3.0.4","v3.1.0","v3.1.1","v3.1.2","v3.1.900a","v3.1.901a","v3.2.0","v3.2.1","v3.2.2","v3.3.0","v3.3.1","v3.3.2","v3.3.3","v3.4.0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"line_hashes":["259493752926620651709142349362849276195","230785914983052223447961732927117151371","12217636447501291062302553513055680385","62405126494858429610787578500845061231","179463854991740435999144472805357298736","68272709789547205234125986453360853951","162410301725275465914806499663084049292","39164957372088187268497416633378961709","202682923871852641868733101080295891962","301086400055508873109432046317611991735","74546993610714974430143180538446038077","61386143541752768976266999255212136357","304739343456208653730853587197886130232","69163275847624257713894847667530878779","317680709258419472989675329879033315216","194390456970727352281349517689519873402","337761648969299792289380367460237055379","245645095900971998780157229976002940083","313689221747533615139444426067652867707","71839374558949873560356293840298277327","324202677020325561218158605561092244799","36678885239641828656854822239115902921","63456052592772401547364162085691945315","208068655965959195053039668998724809446","321372824576092357600368061492307768572","115861186337743141515360542569469183063","291243398602166245106447150619205573687","323333371442874016294651402000641868572","247288520912191146938119320438545084272","113231134948946292219430299831050015683","214748447455728673716737136207566695935","194097180572846545798744625891833564381","119524074472370788340214959067133643311"],"threshold":0.9},"signature_type":"Line","target":{"file":"libarchive/archive_string.c"},"id":"CVE-2019-19221-5e805d5f","signature_version":"v1","source":"https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41"},{"deprecated":false,"digest":{"length":1063,"function_hash":"15941912786800880371649172928636517809"},"signature_type":"Function","target":{"function":"archive_wstring_append_from_mbs","file":"libarchive/archive_string.c"},"id":"CVE-2019-19221-b74e4aa8","signature_version":"v1","source":"https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.10"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19221.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}