CVE-2019-19451

Publication date 29 November 2019

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.5 · Medium

Score breakdown

When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system’s logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.) NOTE: this does not affect an upstream release, but affects certain Linux distribution packages with version numbers such as 0.97.3.

Read the notes from the security team

Status

Package Ubuntu Release Status
dia 24.10 oracular
Vulnerable
24.04 LTS noble
Vulnerable
23.10 mantic Ignored end of life, was needed
23.04 lunar Ignored end of life, was needed
22.10 kinetic Ignored end of life, was needed
22.04 LTS jammy
Vulnerable
21.10 impish Ignored end of life
21.04 hirsute Ignored end of life
20.10 groovy Ignored end of life
20.04 LTS focal
Vulnerable
19.10 eoan Ignored end of life
19.04 disco Ignored end of life
18.04 LTS bionic
Vulnerable
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty Not in release

Notes


leosilva

introduced by https://gitlab.gnome.org/GNOME/dia/-/commit/9a5f438d4b3e718c8ab0efe01d08ee2c3a0d9a86

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
dia

Severity score breakdown

Parameter Value
Base score 5.5 · Medium
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H