Rapid7 Vulnerability & Exploit Database

Alpine Linux: CVE-2019-19451: dia infinite loop on filenames with invalid encoding

Back to Search

Alpine Linux: CVE-2019-19451: dia infinite loop on filenames with invalid encoding

Severity
5
CVSS
(AV:L/AC:L/Au:N/C:N/I:N/A:C)
Published
11/29/2019
Created
01/03/2020
Added
01/03/2020
Modified
01/03/2020

Description

When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.) NOTE: this does not affect an upstream release, but affects certain Linux distribution packages with version numbers such as 0.97.3.

Solution(s)

  • alpine-linux-upgrade-dia

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;