Security update for dia SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:3391-1 Final 1 1 2019-12-27T12:33:18Z current 2019-12-27T12:33:18Z 2019-12-27T12:33:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dia This update for dia fixes the following issue: - CVE-2019-19451: Fixed an endless loop on filenames with invalid encoding (bsc#1158194). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-3391,SUSE-SLE-Product-WE-15-2019-3391,SUSE-SLE-Product-WE-15-SP1-2019-3391 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20193391-1/ Link for SUSE-SU-2019:3391-1 https://www.suse.com/support/update/announcement/2019/suse-su-20193391-1.html E-Mail link for SUSE-SU-2019:3391-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1158194 SUSE Bug 1158194 https://www.suse.com/security/cve/CVE-2019-19451/ SUSE CVE CVE-2019-19451 page SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Workstation Extension 15 SP1 dia-0.97.3-4.3.3 dia-lang-0.97.3-4.3.3 dia-0.97.3-4.3.3 as a component of SUSE Linux Enterprise Workstation Extension 15 dia-lang-0.97.3-4.3.3 as a component of SUSE Linux Enterprise Workstation Extension 15 dia-0.97.3-4.3.3 as a component of SUSE Linux Enterprise Workstation Extension 15 SP1 dia-lang-0.97.3-4.3.3 as a component of SUSE Linux Enterprise Workstation Extension 15 SP1 When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.) NOTE: this does not affect an upstream release, but affects certain Linux distribution packages with version numbers such as 0.97.3. CVE-2019-19451 SUSE Linux Enterprise Workstation Extension 15 SP1:dia-0.97.3-4.3.3 SUSE Linux Enterprise Workstation Extension 15 SP1:dia-lang-0.97.3-4.3.3 SUSE Linux Enterprise Workstation Extension 15:dia-0.97.3-4.3.3 SUSE Linux Enterprise Workstation Extension 15:dia-lang-0.97.3-4.3.3 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20193391-1/ https://www.suse.com/security/cve/CVE-2019-19451.html CVE-2019-19451 https://bugzilla.suse.com/1158194 SUSE Bug 1158194