Hi Anthony, As you are the uploader for golang-github-disintegration-imaging, I'd like your input on CVE-2023- 36308 and approval for the proposed patch, before any new upload is made.
There has been a failed attempt to inform upstream of this issue at [1], and their last commit was 4 years ago, so we're not likely to see a fix from upstream. Instead, I've found a (very minimal) third-party patch at [2] which fixes this issue, and have pushed it to the Salsa repo[3]. The original security bug report is attached below. Kind regards, Maytham On Mon, 15 Apr 2024 21:30:20 +0300 Maytham Alsudany <maytha8the...@gmail.com> wrote: > Package: golang-github-disintegration-imaging > X-Debbugs-CC: t...@security.debian.org > Severity: normal > Tags: security > > Hi, > > The following vulnerability was published for > golang-github-disintegration-imaging. > > CVE-2023-36308[0]: > | disintegration Imaging 1.6.2 allows attackers to cause a panic > | (because of an integer index out of range during a Grayscale call) > | via a crafted TIFF file to the scan function of scanner.go. NOTE: it > | is unclear whether there are common use cases in which this panic > | could have any security consequence > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-36308 > https://www.cve.org/CVERecord?id=CVE-2023-36308 > > Please adjust the affected versions in the BTS as needed. > > Kind regards, > Maytham [1]: https://github.com/disintegration/imaging/issues/165 [2]: https://github.com/kovidgoyal/imaging/commit/68f6e7d [3]: https://salsa.debian.org/go-team/packages/golang-github-disintegration-imaging/-/commit/24e17d9e
signature.asc
Description: This is a digitally signed message part
