Bugzilla – Bug 1208861
VUL-0: CVE-2022-41727: containerized-data-importer: golang.org/x/image: Uncontrolled Resource Consumption
Last modified: 2023-03-02 16:25:13 UTC
+++ This bug was initially created as a clone of Bug #1208853 +++ CVE-2022-41727 An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service. https://go.dev/cl/468195 https://go.dev/issue/58003 https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o https://pkg.go.dev/vuln/GO-2023-1572 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41727 https://bugzilla.redhat.com/show_bug.cgi?id=2174311 https://www.cve.org/CVERecord?id=CVE-2022-41727 https://go.dev/cl/468195 https://go.dev/issue/58003 https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o https://pkg.go.dev/vuln/GO-2023-1572
Our scanners show golang.org/x/image with version < 0.5.0 embedded in: - SUSE:SLE-15-SP3:Update/containerized-data-importer - SUSE:SLE-15-SP4:Update/containerized-data-importer - SUSE:SLE-15-SP5:Update/containerized-data-importer - openSUSE:Factory/containerized-data-importer
Sorry, we had a massive false positive problem. Closing