Lucene search

GoogleOSV:CVE-2023-29408

HistoryAug 02, 2023 - 8:15 p.m.

CVE-2023-29408

2023-08-0220:15:11

Google

osv.dev

cve-2023-29408

tiff decoder

memory consumption

cpu usage

malicious image

software vulnerability

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.7%

JSON

The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.

CPENameOperatorVersion
imageeq0.7.0
imageeq0.6.0
imageeq0.5.0
imageeq0.4.0
imageeq0.3.0
imageeq0.1.0
imageeq0.2.0
imageeq0.9.0
imageeq0.8.0

Name	Operator	Version
image	eq	0.7.0
image	eq	0.6.0
image	eq	0.5.0
image	eq	0.4.0
image	eq	0.3.0
image	eq	0.1.0
image	eq	0.2.0
image	eq	0.9.0
image	eq	0.8.0

References

go.dev/cl/514897

go.dev/issue/61582

lists.fedoraproject.org/archives/list/[email protected]/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/

lists.fedoraproject.org/archives/list/[email protected]/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/

lists.fedoraproject.org/archives/list/[email protected]/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/

pkg.go.dev/vuln/GO-2023-1989

security.netapp.com/advisory/ntap-20230831-0009/