blob: 76e1966965e49f9e4758f0e3584dbe0d18b7b4fd [file] [log] [blame]
id: GO-2023-1572
modules:
- module: golang.org/x/image
versions:
- fixed: 0.5.0
vulnerable_at: 0.4.0
packages:
- package: golang.org/x/image/tiff
symbols:
- decoder.ifdUint
- newDecoder
- Decode
derived_symbols:
- DecodeConfig
summary: Denial of service via crafted TIFF image in golang.org/x/image/tiff
description: |-
An attacker can craft a malformed TIFF image which will consume a significant
amount of memory when passed to DecodeConfig. This could lead to a denial of
service.
ghsas:
- GHSA-qgc7-mgm3-q253
credits:
- Philippe Antoine (Catena cyber)
- OSS Fuzz
references:
- report: https://go.dev/issue/58003
- fix: https://go.dev/cl/468195
- web: https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o
cve_metadata:
id: CVE-2022-41727
cwe: 'CWE-400: Uncontrolled Resource Consumption'
references:
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/
review_status: REVIEWED