Source: golang-golang-x-image Version: 0.39.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for golang-golang-x-image. CVE-2026-46599[0]: | The TIFF decoder does not place a limit on the size of PackBits- | compressed data. A maliciously-crafted image can exploit this to | cause a small image (both in terms of pixel width/height and encoded | size) to make the decoder decode large amounts of compressed data. CVE-2026-42500[1]: | Decoding a paletted BMP file with an out-of-range palette index | results in a panic when accessing pixels in the invalid image. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-46599 https://www.cve.org/CVERecord?id=CVE-2026-46599 https://github.com/golang/go/issues/79577 [1] https://security-tracker.debian.org/tracker/CVE-2026-42500 https://www.cve.org/CVERecord?id=CVE-2026-42500 https://github.com/golang/go/issues/79576 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
