Medium severity6.5NVD Advisory· Published Aug 2, 2023· Updated Jun 17, 2026
CVE-2023-29408
CVE-2023-29408
Description
The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/imageGo | < 0.10.0 | 0.10.0 |
Affected products
7- ghsa-coords6 versionspkg:golang/golang.org/x/imagepkg:rpm/opensuse/keybase-client&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/keybase-client&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/keybase-client&distro=openSUSE%20Tumbleweedpkg:rpm/suse/keybase-client&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/keybase-client&distro=SUSE%20Package%20Hub%2015%20SP6
< 0.10.0+ 5 more
- (no CPE)range: < 0.10.0
- (no CPE)range: < 6.2.8-bp156.2.3.1
- (no CPE)range: < 6.2.8-bp156.2.3.1
- (no CPE)range: < 6.2.2-2.1
- (no CPE)range: < 6.2.8-bp156.2.3.1
- (no CPE)range: < 6.2.8-bp156.2.3.1
- golang.org/x/image/golang.org/x/image/tiffv5Range: 0
Patches
Vulnerability mechanics
References
13- go.dev/cl/514897nvdPatchWEB
- go.dev/issue/61582nvdIssue TrackingPatchVendor AdvisoryWEB
- pkg.go.dev/vuln/GO-2023-1989nvdIssue TrackingPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-x92r-3vfx-4cv3ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/nvdMailing ListThird Party Advisory
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/nvdMailing ListThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2023-29408ghsaADVISORY
- security.netapp.com/advisory/ntap-20230831-0009/nvdThird Party Advisory
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESKghsaWEB
- security.netapp.com/advisory/ntap-20230831-0009ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/nvd
News mentions
0No linked articles in our index yet.