CVE-2019-19451Infinite Loop in DIA

CWE-835Infinite Loop7 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.2%
top 64.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
DIAGnome DIADebian DIA+2 more
Timeline
PublishedNov 29
Latest updateMay 24

Description

When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.) NOTE: this does not affect a

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

NVDgnome/dia< 2019-11-27
debiandebian/dia< dia 0.97.3+git20220525-1 (bookworm)
Debiandia/dia< 0.97.3+git20220525-1+2
NVDopensuse/leap15.1

Also affects: Fedora 32, 33

🔴Vulnerability Details

2
GHSA
GHSA-4vq3-2rwv-w7mg: When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop2022-05-24
OSV
CVE-2019-19451: When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop2019-11-29

📋Vendor Advisories

1
Debian
CVE-2019-19451: dia - When GNOME Dia before 2019-11-27 is launched with a filename argument that is no...2019

💬Community

3
Bugzilla
CVE-2019-19451 dia: infinite loop on filenames with invalid encoding2019-12-02
Bugzilla
CVE-2019-19451 dia: infinite loop on filenames with invalid encoding [fedora-all]2019-12-02
Bugzilla
CVE-2019-19451 dia: infinite loop on filenames with invalid encoding [epel-all]2019-12-02