Arch Linux

Description:
CVE-2019-19451 [1]
When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.)
Fixed upstream [2]. This does not apply cleanly as the context is changed by previous commit [3]. Use patch from Fedora [4] that does apply cleanly.

dia fails to build from source. It appears ftp://ftp.gnome.org has been shutdown https://ftp.gnome.org with the same layout is a drop in replacement.
makepkg --verifysource
==> Making package: dia 0.97.3-7 (Mon 14 Jun 2021 20:48:03 UTC)
==> Retrieving sources...
-> Downloading dia-0.97.3.tar.xz...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (7) Failed to connect to ftp.gnome.org port 21: No route to host
==> ERROR: Failure while downloading ftp://ftp.gnome.org/pub/gnome/sources/dia/0.97/dia-0.97.3.tar.xz
Aborting...

PKGBUILD.diff.1 applies the above changes as well as dropping the EOL python2 bindings and removing libtool overlinking
PKGBUILD.diff.2 switches to a pinned commit from git master. It contains the fix for CVE-2019-19451, switches to meson so no libtool overlinking and supports python3. The version string from the git tree is 0.97.0 which is less than 0.97.3 hence the epoch.

Additional info:
[1] https://nvd.nist.gov/vuln/detail/CVE-2019-19451
[2] https://gitlab.gnome.org/GNOME/dia/-/commit/b0a8c2ac439e6fbf7862e793fa378a8f2e66c624
[3] https://gitlab.gnome.org/GNOME/dia/-/commit/a67db4890f859a660d88263102bd1f47d2c8cdba
[4] https://src.fedoraproject.org/rpms/dia/blob/rawhide/f/dia-0.9.3-cve-2019-19451.patch