Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/image/tiff: lack of limits on compressed tile data [CVE-2023-29408] #61582

Closed
neild opened this issue Jul 25, 2023 · 1 comment
Closed

x/image/tiff: lack of limits on compressed tile data [CVE-2023-29408] #61582

neild opened this issue Jul 25, 2023 · 1 comment
Assignees
@neild
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@neild
Copy link
Contributor

neild commented Jul 25, 2023
edited
Loading

The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encodes size) make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is CVE-2023-29408.

This is a PRIVATE issue for CVE-2023-29408, tracked in http://b/279482083 and fixed by http://tg/1944079.

/cc @golang/security and @golang/release
@neild neild added Security NeedsFix The path to resolution is known, but the work has not been done. labels Jul 25, 2023
@neild neild self-assigned this Jul 25, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/514897 mentions this issue: tiff: limit work when decoding malicious images

@neild neild changed the title security: fix CVE-2023-29408 x/image: lack of limits on compressed tile data [CVE-2023-29408] Aug 1, 2023
@dmitshur dmitshur changed the title x/image: lack of limits on compressed tile data [CVE-2023-29408] x/image/tiff: lack of limits on compressed tile data [CVE-2023-29408] Aug 2, 2023
@dmitshur dmitshur added this to the Unreleased milestone Aug 2, 2023
@golang golang locked and limited conversation to collaborators Aug 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@neild neild

Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@neild @dmitshur @gopherbot