CVE-2023-29407: 
NixOS vulnerability analysis and mitigation

CVE-2023-29407 is a vulnerability in the Golang image package that was discovered and disclosed in August 2023. The vulnerability affects the TIFF image processing functionality in golang.org/x/image versions prior to 0.10.0. A maliciously-crafted image can cause excessive CPU consumption in decoding, specifically when a tiled image with a height of 0 and a very large width is processed (NVD, Go Package).

The vulnerability occurs when processing TIFF images with specific malformed parameters. A tiled image with a height of 0 and a very large width can trigger excessive CPU consumption during the decoding process, despite the image size (width * height) appearing to be zero. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue has been classified as CWE-834 (Excessive Iteration) (NVD, NetApp Advisory).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition through excessive CPU consumption. The impact is primarily on system availability, with no direct effect on confidentiality or integrity of the system (NetApp Advisory).

The vulnerability has been fixed in golang.org/x/image version 0.10.0 and later. Users are advised to upgrade to the patched version. The fix has been incorporated into various distributions, including Fedora 37, 38, and 39 through version 0.13.0-1 of the golang-x-image package (Fedora Update).