Source: golang-golang-x-image Version: 0.7.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for golang-golang-x-image. CVE-2023-29407[0]: | A maliciously-crafted image can cause excessive CPU consumption in | decoding. A tiled image with a height of 0 and a very large width | can cause excessive CPU consumption, despite the image size (width * | height) appearing to be zero. CVE-2023-29408[1]: | The TIFF decoder does not place a limit on the size of compressed | tile data. A maliciously-crafted image can exploit this to cause a | small image (both in terms of pixel width/height, and encoded size) | to make the decoder decode large amounts of compressed data, | consuming excessive memory and CPU. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-29407 https://www.cve.org/CVERecord?id=CVE-2023-29407 https://go.dev/issue/61581 [1] https://security-tracker.debian.org/tracker/CVE-2023-29408 https://www.cve.org/CVERecord?id=CVE-2023-29408 https://go.dev/issue/61582 [2] https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d Please adjust the affected versions in the BTS as needed. Regards, Salvatore
