Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-06-02 03:52:28 +02:00
Code Issues Activity

fix(deps): update module golang.org/x/image to v0.41.0 [security] (#37904)

Browse Source 
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) |
[`v0.40.0` →
`v0.41.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.40.0...refs/tags/v0.41.0)
|
![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fimage/v0.41.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fimage/v0.40.0/v0.41.0?slim=true)
|

---

### Panic when reading out of bound palette index in
golang.org/x/image/bmp
[CVE-2026-42500](https://nvd.nist.gov/vuln/detail/CVE-2026-42500) /
[GO-2026-5031](https://pkg.go.dev/vuln/GO-2026-5031)

<details>
<summary>More information</summary>

#### Details
Decoding a paletted BMP file with an out-of-range palette index results
in a panic when accessing pixels in the invalid image.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79576](https://go.dev/issue/79576)
-
[https://groups.google.com/g/golang-announce/c/uhYX90BlBvI](https://groups.google.com/g/golang-announce/c/uhYX90BlBvI)
- [https://go.dev/cl/781500](https://go.dev/cl/781500)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5031) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Excessive resource consumption in PackBits decompression in
golang.org/x/image/tiff
[CVE-2026-46599](https://nvd.nist.gov/vuln/detail/CVE-2026-46599) /
[GO-2026-5032](https://pkg.go.dev/vuln/GO-2026-5032)

<details>
<summary>More information</summary>

#### Details
The TIFF decoder does not place a limit on the size of
PackBits-compressed data. A maliciously-crafted image can exploit this
to cause a small image (both in terms of pixel width/height and encoded
size) to make the decoder decode large amounts of compressed data.

#### Severity
Unknown

#### References
- [https://go.dev/issue/79577](https://go.dev/issue/79577)
- [https://go.dev/cl/759960](https://go.dev/cl/759960)
-
[https://groups.google.com/g/golang-announce/c/uhYX90BlBvI](https://groups.google.com/g/golang-announce/c/uhYX90BlBvI)

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2026-5032) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb)
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).
</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
This commit is contained in:
Giteabot 2026-05-29 15:04:40 -07:00 committed by GitHub
parent dd59c68486
commit d07a42e777
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -104,7 +104,7 @@ require (
gitlab.com/gitlab-org/api/client-go/v2 v2.30.0
go.yaml.in/yaml/v4 v4.0.0-rc.3
golang.org/x/crypto v0.52.0
golang.org/x/image v0.40.0
golang.org/x/image v0.41.0
golang.org/x/net v0.55.0
golang.org/x/oauth2 v0.36.0
golang.org/x/sync v0.20.0

4
go.sum
View File

@ -793,8 +793,8 @@ golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
golang.org/x/image v0.40.0 h1:Tw4GyDXMo+daZN1znreBRC3VayR1aLFUyUEOLUdW1a8=
golang.org/x/image v0.40.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
golang.org/x/image v0.41.0 h1:8wS72eGJMJaBxK6okTzd4WaXumUlTVlb753MlsSvTCo=
golang.org/x/image v0.41.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=