CVE-2023-36308

The imaging library version 1.6.2, which provides image processing functions in Go, contains a vulnerability where specially crafted TIFF files trigger a runtime panic. The root cause is in the scan function of scanner.go, which uses img.Pix[i] to index into the image palette (s.palette[img.Pix[i]]). When a malicious TIFF is decoded as a paletted image (image.Paletted), the pixel index can exceed the palette length, causing an out-of-bounds panic [3].

To trigger the panic, an attacker provides a crafted TIFF file that is decoded by the standard image.Decode function and then passed to imaging.Grayscale. The attack requires no authentication and can be delivered through any mechanism that allows the victim to process a TIFF with the imaging library—such as uploading an image to a web service or opening a file in a desktop application [3]. The panic occurs even with GOMAXPROCS=1, and the proof-of-concept code shows a panic with an index of 70 against a palette length of 65 [3].

The impact of the vulnerability is a denial of service (DoS) caused by the program crashing (panic) and potentially interrupting service. The official description notes that it is unclear whether the panic has any security consequence in common use cases [2]. However, an attacker who can supply a file that triggers the panic can cause the application to terminate, disrupting availability. No code execution or data leakage is reported.

The maintainers released version 1.6.2 of the imaging library, which is the version containing the bug [1]. As of the advisory, the disclosure does not specify a fix or a newer patched version. Users should apply any subsequent updates from the repository. The issue is tracked in GitHub issue #165 [3]. There is no indication that the vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.