Bug#1069062: golang-github-disintegration-imaging: CVE-2023-36308
Hi Security team, There's a third party patch for this CVE[2], and at least testing locally with the PoC in[1] seems to mitigate the issue. Do you think this is OK to pick and upload? Maytham Alsudany wrote: > Hi Anthony, > > As you are the uploader for golang-github-disintegration-imaging, I'd like > your input on CVE-2023- > 36308 and approval for the proposed patch, before any new upload is made. > > There has been a failed attempt to inform upstream of this issue at [1], and > their last commit was 4 > years ago, so we're not likely to see a fix from upstream. > > Instead, I've found a (very minimal) third-party patch at [2] which fixes > this issue, and have > pushed it to the Salsa repo[3]. > > The original security bug report is attached below. > > Kind regards, > Maytham > > On Mon, 15 Apr 2024 21:30:20 +0300 Maytham Alsudany > wrote: > > Package: golang-github-disintegration-imaging > > X-Debbugs-CC: t...@security.debian.org > > Severity: normal > > Tags: security > > > > Hi, > > > > The following vulnerability was published for > > golang-github-disintegration-imaging. > > > > CVE-2023-36308[0]: > > | disintegration Imaging 1.6.2 allows attackers to cause a panic > > | (because of an integer index out of range during a Grayscale call) > > | via a crafted TIFF file to the scan function of scanner.go. NOTE: it > > | is unclear whether there are common use cases in which this panic > > | could have any security consequence > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-36308 > > https://www.cve.org/CVERecord?id=CVE-2023-36308 > > > > Please adjust the affected versions in the BTS as needed. > > > > Kind regards, > > Maytham > > [1]: https://github.com/disintegration/imaging/issues/165 > [2]: https://github.com/kovidgoyal/imaging/commit/68f6e7d > [3]: > https://salsa.debian.org/go-team/packages/golang-github-disintegration-imaging/-/commit/24e17d9e > Best, Nilesh signature.asc Description: PGP signature
Bug#1069062: golang-github-disintegration-imaging: CVE-2023-36308
Hi Anthony, As you are the uploader for golang-github-disintegration-imaging, I'd like your input on CVE-2023- 36308 and approval for the proposed patch, before any new upload is made. There has been a failed attempt to inform upstream of this issue at [1], and their last commit was 4 years ago, so we're not likely to see a fix from upstream. Instead, I've found a (very minimal) third-party patch at [2] which fixes this issue, and have pushed it to the Salsa repo[3]. The original security bug report is attached below. Kind regards, Maytham On Mon, 15 Apr 2024 21:30:20 +0300 Maytham Alsudany wrote: > Package: golang-github-disintegration-imaging > X-Debbugs-CC: t...@security.debian.org > Severity: normal > Tags: security > > Hi, > > The following vulnerability was published for > golang-github-disintegration-imaging. > > CVE-2023-36308[0]: > | disintegration Imaging 1.6.2 allows attackers to cause a panic > | (because of an integer index out of range during a Grayscale call) > | via a crafted TIFF file to the scan function of scanner.go. NOTE: it > | is unclear whether there are common use cases in which this panic > | could have any security consequence > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-36308 > https://www.cve.org/CVERecord?id=CVE-2023-36308 > > Please adjust the affected versions in the BTS as needed. > > Kind regards, > Maytham [1]: https://github.com/disintegration/imaging/issues/165 [2]: https://github.com/kovidgoyal/imaging/commit/68f6e7d [3]: https://salsa.debian.org/go-team/packages/golang-github-disintegration-imaging/-/commit/24e17d9e signature.asc Description: This is a digitally signed message part
Bug#1069062: golang-github-disintegration-imaging: CVE-2023-36308
Package: golang-github-disintegration-imaging X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for golang-github-disintegration-imaging. CVE-2023-36308[0]: | disintegration Imaging 1.6.2 allows attackers to cause a panic | (because of an integer index out of range during a Grayscale call) | via a crafted TIFF file to the scan function of scanner.go. NOTE: it | is unclear whether there are common use cases in which this panic | could have any security consequence If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-36308 https://www.cve.org/CVERecord?id=CVE-2023-36308 Please adjust the affected versions in the BTS as needed. Kind regards, Maytham signature.asc Description: This is a digitally signed message part
