Package: dia Version: 0.97.3+git20160930-8.1 Severity: critical Tags: security upstream Justification: breaks the whole system
Dear Maintainer, when GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. (The filename can be for a nonexistent file.) If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. Further details are available in the upstream bugreport [1] and the CVE description [2]. Upstream (the GNOME Dia developers) has not tagged any official release versions since 2011 (0.97.2), so Debian currently ships a more recent state as 0.97.3+git20160930-8.2. The vulnerability was introduced after the release of 0.97.2, and is contained in all 0.97.3+* versions in Debian. Could you please package the current development version of Dia, or apply the (one-line) patch [3], to fix this vulnerability? Kind regards, Nils Steinger [1]: https://gitlab.gnome.org/GNOME/dia/issues/428 [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19451 [3]: https://gitlab.gnome.org/GNOME/dia/commit/baa2df853f9fb770eedcf3d94c7f5becebc90bb9?merge_request_iid=50 -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dia depends on: ii dia-common 0.97.3+git20160930-8.1 ii libart-2.0-2 2.3.21-4 ii libatk1.0-0 2.30.0-2 ii libc6 2.28-10 ii libcairo2 1.16.0-4 ii libfontconfig1 2.13.1-2 ii libfreetype6 2.9.1-3+deb10u1 ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 ii libglib2.0-0 2.58.3-2+deb10u2 ii libgtk2.0-0 2.24.32-3 ii libpango-1.0-0 1.42.4-7~deb10u1 ii libpangocairo-1.0-0 1.42.4-7~deb10u1 ii libpangoft2-1.0-0 1.42.4-7~deb10u1 ii libpng16-16 1.6.36-6 ii libpython2.7 2.7.16-2+deb10u1 ii libxml2 2.9.4+dfsg1-7+b3 ii libxslt1.1 1.1.32-2.2~deb10u1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages dia recommends: ii dia-shapes 0.6.0-3 ii gsfonts-x11 0.26 dia suggests no packages. -- no debconf information