Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/image/tiff: over allocation in DecodeConfig (CVE-2022-41727) #58003

Closed
rolandshoemaker opened this issue Jan 25, 2023 · 5 comments
Closed

x/image/tiff: over allocation in DecodeConfig (CVE-2022-41727) #58003

rolandshoemaker opened this issue Jan 25, 2023 · 5 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@rolandshoemaker
Copy link
Member

This is a PRIVATE issue for CVE-2022-41727, tracked in http://b/262244452 and fixed by http://tg/1680712.

/cc @golang/security and @golang/release
@mknyszek mknyszek added the NeedsFix The path to resolution is known, but the work has not been done. label Jan 30, 2023
@mknyszek mknyszek added this to the Go1.21 milestone Jan 30, 2023
@Jason7602
Copy link
Contributor

@gopherbot please open backport issues.

This was referenced Feb 8, 2023
Closed
Closed
@gopherbot
Copy link
Contributor

Backport issue(s) opened: #58403 (for 1.19), #58404 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@rolandshoemaker
Copy link
Member Author

This change will not be backported, as it is a change to a golang.org/x/ module which is not vendored in the standard library.

@dmitshur dmitshur modified the milestones: Go1.21, Unreleased Feb 9, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/468195 mentions this issue: tiff: don't pre-allocate giant slices before reading

@dmitshur dmitshur changed the title security: fix CVE-2022-41727 x/image/tiff: over allocation in DecodeConfig (CVE-2022-41727) Feb 14, 2023
@epelc
Copy link

epelc commented Feb 15, 2023

Does this warrant reconsidering #20814

@zafs23 zafs23 mentioned this issue Mar 20, 2023
Closed
@Yoavast Yoavast mentioned this issue Apr 13, 2023
Closed
@bcmills bcmills mentioned this issue Jun 20, 2023
Open
@golang golang locked and limited conversation to collaborators Feb 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@mknyszek @dmitshur @rolandshoemaker @epelc @gopherbot @Jason7602