data/reports/GO-2023-1572.yaml - vulndb - Git at Google

 id: GO-2023-1572
 modules:
     - module: golang.org/x/image
       versions:
         - fixed: 0.5.0
       vulnerable_at: 0.4.0
       packages:
         - package: golang.org/x/image/tiff
           symbols:
             - decoder.ifdUint
             - newDecoder
             - Decode
           derived_symbols:
             - DecodeConfig
 summary: Denial of service via crafted TIFF image in golang.org/x/image/tiff
 description: |-
     An attacker can craft a malformed TIFF image which will consume a significant
     amount of memory when passed to DecodeConfig. This could lead to a denial of
     service.
 ghsas:
     - GHSA-qgc7-mgm3-q253
 credits:
     - Philippe Antoine (Catena cyber)
     - OSS Fuzz
 references:
     - report: https://go.dev/issue/58003
     - fix: https://go.dev/cl/468195
     - web: https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o
 cve_metadata:
     id: CVE-2022-41727
     cwe: 'CWE-400: Uncontrolled Resource Consumption'
     references:
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/
	id: GO-2023-1572
	modules:
	- module: golang.org/x/image
	versions:
	- fixed: 0.5.0
	vulnerable_at: 0.4.0
	packages:
	- package: golang.org/x/image/tiff
	symbols:
	- decoder.ifdUint
	- newDecoder
	- Decode
	derived_symbols:
	- DecodeConfig
	summary: Denial of service via crafted TIFF image in golang.org/x/image/tiff
	description: \|-
	An attacker can craft a malformed TIFF image which will consume a significant
	amount of memory when passed to DecodeConfig. This could lead to a denial of
	service.
	ghsas:
	- GHSA-qgc7-mgm3-q253
	credits:
	- Philippe Antoine (Catena cyber)
	- OSS Fuzz
	references:
	- report: https://go.dev/issue/58003
	- fix: https://go.dev/cl/468195
	- web: https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o
	cve_metadata:
	id: CVE-2022-41727
	cwe: 'CWE-400: Uncontrolled Resource Consumption'
	references:
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/