Headline
CVE-2019-19451: Endless loop on filenames with invalid encoding (#428) · Issues · GNOME / Dia · GitLab
When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system’s logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.) NOTE: this does not affect an upstream release, but affects certain Linux distribution packages with version numbers such as 0.97.3.
When launching Dia with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop:
% dia $'\374'
Filename conversion failed: �
Filename conversion failed: �
Filename conversion failed: �
Filename conversion failed: �
Filename conversion failed: �
…
(The file does not need to actually exist.)
This is especially problematic when Dia is invoked by a thumbnail service1: The thumbnailer service (e.g. Tumbler) will usually log all output to syslog, which will very quickly fill up the disk.
Implication: Users with local system access can create an appropriately named file (e.g. touch $’\374’.dia), view the parent directory in a graphical file manager, and thus cause the thumbnailer service to fill the disk (outside of any quota restriction they may have), leading to an unusable system.
On a test system, Dia produced up to 32 MiB (1.3 million lines) of error output per second.
1: Dia registers Exec=dia -t png -e %o -s %s %i as a thumbnailer command in /usr/share/thumbnailers/dia.thumbnailer.