CVE-2023-29408
Summary
| CVE | CVE-2023-29408 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-08-02 20:15:00 UTC |
|---|
| Updated | 2023-11-07 04:11:00 UTC |
|---|
| Description | The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| go.dev/cl/514897 |
MISC |
go.dev |
|
| x/image/tiff: lack of limits on compressed tile data [CVE-2023-29408] · Issue #61582 · golang/go · GitHub |
MISC |
go.dev |
|
| [SECURITY] Fedora 37 Update: golang-x-image-0.13.0-1.fc37 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| [SECURITY] Fedora 38 Update: golang-x-image-0.13.0-1.fc38 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| August 2023 Golang Vulnerabilities in NetApp Products | NetApp Product Security |
MISC |
security.netapp.com |
|
| 404 Not Found - Go Packages |
MISC |
pkg.go.dev |
|
| [SECURITY] Fedora 39 Update: golang-x-image-0.13.0-1.fc39 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 284634 Fedora Security Update for golang (FEDORA-2023-4d95d44e7b)
- 284635 Fedora Security Update for golang (FEDORA-2023-c862a1e289)
- 285210 Fedora Security Update for golang (FEDORA-2023-28cff1a2de)
- 995811 GO (Go) Security Update for golang.org/x/image (GHSA-x92r-3vfx-4cv3)
