Bug 1213967 (CVE-2023-29407)

Summary: VUL-0: TRACKERBUG: CVE-2023-29407: golang.org/x/image/tiff: excessive CPU consumption in decoding
Product: [Novell Products] SUSE Security Incidents Reporter: Stoyan Manolov <stoyan.manolov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: albino, jkowalczyk, marix, meissner, scott.bradnick, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/374015/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stoyan Manolov 2023-08-04 03:56:02 UTC 
CVE-2023-29407

A maliciously-crafted image can cause excessive CPU consumption in decoding. A
tiled image with a height of 0 and a very large width can cause excessive CPU
consumption, despite the image size (width * height) appearing to be zero.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29407
https://bugzilla.redhat.com/show_bug.cgi?id=2228735
https://www.cve.org/CVERecord?id=CVE-2023-29407
https://go.dev/cl/514897
https://go.dev/issue/61581
https://pkg.go.dev/vuln/GO-2023-1990
Comment 1 Bruno Pitrus 2023-08-04 06:43:55 UTC 
I checked the debugsource package and this code is not shipped in app-builder (probably removed during linking as dead code). Removing myself from the cc list.