Infinite loop in dia (Alpine package) - CVE-2019-19451
Published: June 25, 2020
Vulnerability identifier: #VU29304
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-19451
CWE-ID: CWE-835
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
dia (Alpine package)
dia (Alpine package)
Software vendor:
Alpine Linux Development Team
Alpine Linux Development Team
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when launched with a filename argument that is not a valid codepoint in the current encoding. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable.
Remediation
Install updates from vendor's website.