Infinite loop in dia (Alpine package) - CVE-2019-19451

 

Infinite loop in dia (Alpine package) - CVE-2019-19451

Published: June 25, 2020


Vulnerability identifier: #VU29304
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-19451
CWE-ID: CWE-835
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Alpine Linux Development Team
Affected software:
dia (Alpine package)

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when launched with a filename argument that is not a valid codepoint in the current encoding. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable.


How to mitigate CVE-2019-19451

Install updates from vendor's website.

Sources