Heap-based buffer overflow in archive_string_append_from_wcs() (archive_string.c) in libarchive-3.4.1dev allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected. Reference: https://github.com/libarchive/libarchive/issues/1298 Upstream patch: https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4
Flaw summary: During the growth (via realloc) of archive_string buffer in archive_string_append_from_wcs() from libarchive/archive_string.c, it's possible for the reallocation size to be smaller than a max-sized multibyte character plus space for its null terminator, which could cause an out-of-bounds write of 1 byte later in the code when `as->s[as->length] = '\0';` is executed or potentially elsewhere in the code.
Statement: Red Hat Product Security has set the Severity of this flaw to Low for libarchive as shipped with Red Hat Enterprise Linux 8 because we could not reproduce the issue and it states "NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected." This flaw is out of support scope for libarchive as shipped with Red Hat Enterprise Linux 6 and 7.