Bug#1043159: marked as done (golang-golang-x-image: CVE-2023-29407 CVE-2023-29408)

Debian Bug Tracking System Wed, 01 Nov 2023 09:00:24 -0700

Your message dated Wed, 1 Nov 2023 16:57:51 +0100
with message-id <[email protected]>
and subject line [[email protected]: Accepted 
golang-golang-x-image 0.11.0-1 (source) into unstable]
has caused the Debian Bug report #1043159,
regarding golang-golang-x-image: CVE-2023-29407 CVE-2023-29408
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1043159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043159
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: golang-golang-x-image
Version: 0.7.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for golang-golang-x-image.

CVE-2023-29407[0]:
| A maliciously-crafted image can cause excessive CPU consumption in
| decoding. A tiled image with a height of 0 and a very large width
| can cause excessive CPU consumption, despite the image size (width *
| height) appearing to be zero.


CVE-2023-29408[1]:
| The TIFF decoder does not place a limit on the size of compressed
| tile data. A maliciously-crafted image can exploit this to cause a
| small image (both in terms of pixel width/height, and encoded size)
| to make the decoder decode large amounts of compressed data,
| consuming excessive memory and CPU.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-29407
    https://www.cve.org/CVERecord?id=CVE-2023-29407
    https://go.dev/issue/61581
[1] https://security-tracker.debian.org/tracker/CVE-2023-29408
    https://www.cve.org/CVERecord?id=CVE-2023-29408
    https://go.dev/issue/61582
[2] 
https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-golang-x-image
Source-Version: 0.11.0-1

This upload did fix CVE-2023-29407 and CVE-2023-29408 tracked with
#1043159, but bug was not closed. Doing so manually now.

----- Forwarded message from Debian FTP Masters 
<[email protected]> -----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 09 Oct 2023 17:18:55 -0600
Source: golang-golang-x-image
Architecture: source
Version: 0.11.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Anthony Fok <[email protected]>
Changes:
 golang-golang-x-image (0.11.0-1) unstable; urgency=medium
 .
   * New upstream version 0.11.0
   * Bump versioned dependency as per go.mod
Checksums-Sha1:
 37c57b6a3933e82f467867ea31b5b9c0d130768d 2263 
golang-golang-x-image_0.11.0-1.dsc
 ebfd0ce0e59e9abdbf63516755083a941ad4f407 5091140 
golang-golang-x-image_0.11.0.orig.tar.gz
 0a0eab374f191800fa95529e476840e9baf1898b 6000 
golang-golang-x-image_0.11.0-1.debian.tar.xz
 0644fab4e599ee2b5076ea8cd1e74704ac42e5dd 6414 
golang-golang-x-image_0.11.0-1_amd64.buildinfo
Checksums-Sha256:
 619e95134248736300d83dd93dd3b6973b396a858d21890dbf3bc01c03d0d13a 2263 
golang-golang-x-image_0.11.0-1.dsc
 f3f2478f08274fabf49f4947ba98bdda9de35e811a0e28cc76144ae33c816680 5091140 
golang-golang-x-image_0.11.0.orig.tar.gz
 656232d3c92220508297280d518190e232661743d4a896bdda94f759044557ee 6000 
golang-golang-x-image_0.11.0-1.debian.tar.xz
 a28c2ad16ab37e33500bef8dbb13d57019fa16ffe41a1799cc1524eb21198369 6414 
golang-golang-x-image_0.11.0-1_amd64.buildinfo
Files:
 bdd4304555f073266c06ee0bab86e141 2263 golang optional 
golang-golang-x-image_0.11.0-1.dsc
 d1d83dd6426cd4bf3d934d63e5607d9a 5091140 golang optional 
golang-golang-x-image_0.11.0.orig.tar.gz
 a0fda588765829ea0bc9e609c29e8571 6000 golang optional 
golang-golang-x-image_0.11.0-1.debian.tar.xz
 9ddebacc5a47b3e65755416248a44d8d 6414 golang optional 
golang-golang-x-image_0.11.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEFCQhsZrUqVmW+VBy6iUAtBLFms8FAmUlO5IQHGZva2FAZGVi
aWFuLm9yZwAKCRDqJQC0EsWaz3OdD/wNDZFTRGdhef5gRdnR4TYEj4s7c8p2U+6j
KSxIkLL849reqyYDvdRwm58It9mF3bECGvHpAp0TR7bd8TG0Sp9a5BTJu1THidVx
4jauaVxpYjBQ3TCPFVir51obHjHVc0C9lFVwqd8oABKzPVfoda0479+VtlZ761Qb
dTc8U82JIdibyUP/gZjWs7rtzU/gOUxgGO7v4S9dmDhabGbeIDf7TGB9Z0DdYr4x
w+Y+2hn8ZZ7rjqhvCx2x8kGmVRWoL1LwYkZVpI7GWE1p0ueI9dn1oimDunqLSQTt
cZTbR+Mpqqd2jh4BP1m+FVxAedwJ18NLpsfpP2XJb4FnExJwGMQqI1nF25azTeAk
Xv4elgnJ712h+AFmdkTeSyAfYkJvKiGiHFUTSXx+43TqB8lX/NvFEkFY0EZjri2o
sj5TV06hAkOTrpewHp8EBXIznSxzl/qt1JeAXyd2U+HQ5267HGf43/UBWzPHRk9U
pJaNhq/C0lUrv0/OQj1Xr9s4NbU1PqNf8KPM64J/5IcH5tHvgz+fbMdcdyOTmgHY
/Th3QF8JXkWfgeU3ZnITgc7lTF8POHTd1G9VeL8Use0VuR/gSm1Q1VXiOjuZczAy
GDAQYTh/gyJM+dkeu0XuVfey+YPD30nR1rtWDz5OQymG7mN7cQv2sXcyEpwPSM3W
tncFTHFsvA==
=HZ4L
-----END PGP SIGNATURE-----


----- End forwarded message -----

--- End Message ---

Bug#1043159: marked as done (golang-golang-x-image: CVE-2023-29407 CVE-2023-29408)

Reply via email to