FS#71257 - [dia] CVE-2019-19451 FTBFS

Attached to Project: Community Packages
Opened by loqs (loqs) - Monday, 14 June 2021, 21:04 GMT
Last edited by Konstantin Gizdov (kgizdov) - Tuesday, 15 June 2021, 07:09 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Konstantin Gizdov (kgizdov)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
CVE-2019-19451 [1]
When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.)
Fixed upstream [2]. This does not apply cleanly as the context is changed by previous commit [3]. Use patch from Fedora [4] that does apply cleanly.

dia fails to build from source. It appears ftp://ftp.gnome.org has been shutdown https://ftp.gnome.org with the same layout is a drop in replacement.
makepkg --verifysource
==> Making package: dia 0.97.3-7 (Mon 14 Jun 2021 20:48:03 UTC)
==> Retrieving sources...
-> Downloading dia-0.97.3.tar.xz...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (7) Failed to connect to ftp.gnome.org port 21: No route to host
==> ERROR: Failure while downloading ftp://ftp.gnome.org/pub/gnome/sources/dia/0.97/dia-0.97.3.tar.xz
Aborting...

PKGBUILD.diff.1 applies the above changes as well as dropping the EOL python2 bindings and removing libtool overlinking
PKGBUILD.diff.2 switches to a pinned commit from git master. It contains the fix for CVE-2019-19451, switches to meson so no libtool overlinking and supports python3. The version string from the git tree is 0.97.0 which is less than 0.97.3 hence the epoch.

Additional info:
[1] https://nvd.nist.gov/vuln/detail/CVE-2019-19451
[2] https://gitlab.gnome.org/GNOME/dia/-/commit/b0a8c2ac439e6fbf7862e793fa378a8f2e66c624
[3] https://gitlab.gnome.org/GNOME/dia/-/commit/a67db4890f859a660d88263102bd1f47d2c8cdba
[4] https://src.fedoraproject.org/rpms/dia/blob/rawhide/f/dia-0.9.3-cve-2019-19451.patch
This task depends upon

Closed by  Konstantin Gizdov (kgizdov)
Tuesday, 15 June 2021, 07:09 GMT
Reason for closing:  Fixed
Additional comments about closing:  dia 0.97.3-8
Comment by Konstantin Gizdov (kgizdov) - Tuesday, 15 June 2021, 07:08 GMT
Thanks for this. Much appreciated!

Loading...