FS#71257 - [dia] CVE-2019-19451 FTBFS
Attached to Project:
Community Packages
Opened by loqs (loqs) - Monday, 14 June 2021, 21:04 GMT
Last edited by Konstantin Gizdov (kgizdov) - Tuesday, 15 June 2021, 07:09 GMT
Opened by loqs (loqs) - Monday, 14 June 2021, 21:04 GMT
Last edited by Konstantin Gizdov (kgizdov) - Tuesday, 15 June 2021, 07:09 GMT
|
Details
Description:
CVE-2019-19451 [1] When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.) Fixed upstream [2]. This does not apply cleanly as the context is changed by previous commit [3]. Use patch from Fedora [4] that does apply cleanly. dia fails to build from source. It appears ftp://ftp.gnome.org has been shutdown https://ftp.gnome.org with the same layout is a drop in replacement. makepkg --verifysource ==> Making package: dia 0.97.3-7 (Mon 14 Jun 2021 20:48:03 UTC) ==> Retrieving sources... -> Downloading dia-0.97.3.tar.xz... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (7) Failed to connect to ftp.gnome.org port 21: No route to host ==> ERROR: Failure while downloading ftp://ftp.gnome.org/pub/gnome/sources/dia/0.97/dia-0.97.3.tar.xz Aborting... PKGBUILD.diff.1 applies the above changes as well as dropping the EOL python2 bindings and removing libtool overlinking PKGBUILD.diff.2 switches to a pinned commit from git master. It contains the fix for CVE-2019-19451, switches to meson so no libtool overlinking and supports python3. The version string from the git tree is 0.97.0 which is less than 0.97.3 hence the epoch. Additional info: [1] https://nvd.nist.gov/vuln/detail/CVE-2019-19451 [2] https://gitlab.gnome.org/GNOME/dia/-/commit/b0a8c2ac439e6fbf7862e793fa378a8f2e66c624 [3] https://gitlab.gnome.org/GNOME/dia/-/commit/a67db4890f859a660d88263102bd1f47d2c8cdba [4] https://src.fedoraproject.org/rpms/dia/blob/rawhide/f/dia-0.9.3-cve-2019-19451.patch |
This task depends upon
Closed by Konstantin Gizdov (kgizdov)
Tuesday, 15 June 2021, 07:09 GMT
Reason for closing: Fixed
Additional comments about closing: dia 0.97.3-8
Tuesday, 15 June 2021, 07:09 GMT
Reason for closing: Fixed
Additional comments about closing: dia 0.97.3-8

Thanks for this. Much appreciated!