Skip to content

fix(deps): update module golang.org/x/image to v0.38.0 [security]#259

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-golang.org-x-image-vulnerability
Open

fix(deps): update module golang.org/x/image to v0.38.0 [security]#259
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-golang.org-x-image-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 30, 2026

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/image v0.35.0v0.38.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-33809

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Mar 30, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.0 -> 1.25.0
golang.org/x/text v0.33.0 -> v0.35.0

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Update: golang.org/x/image v0.35.0 → v0.38.0

Security Fix:

  • CVE-2026-33809 (CVSS 5.3 MEDIUM): Fixed a critical memory exhaustion vulnerability in TIFF file decoding
  • Issue: A maliciously crafted TIFF file with an IFD offset of 0xFFFFFFFF could trigger allocation of up to 4GiB of memory
  • Impact: Could cause out-of-memory crashes or excessive resource consumption when processing untrusted TIFF files
  • Fix: Changed from attempting full upfront allocation to chunked reading with bounded increments

Dependency Updates:

  • golang.org/x/image: v0.35.0 → v0.38.0
  • golang.org/x/text: v0.33.0 → v0.35.0 (transitive dependency update)
  • go version requirement: 1.24.0 → 1.25.0

Breaking Changes:

  • None identified. The fix maintains backward compatibility with legitimate TIFF files while preventing the vulnerability.

🎯 Impact Scope Investigation

Direct Usage Analysis:

The codebase uses golang.org/x/image in the following locations:

  1. internal/gat/gat.go:25 - Imports golang.org/x/image/draw for image scaling operations

    import (
    "golang.org/x/image/draw"
)

  2. internal/gat/gat.go:229-263 - printImage() function uses the draw package for image resizing via Sixel protocol

    • Uses draw.ApproxBiLinear.Scale() for image downscaling
    • Processes images detected by content type (including TIFF via Go's standard image.Decode())

Indirect TIFF Support:

While the codebase doesn't explicitly import golang.org/x/image/tiff, TIFF decoding capability is potentially available through:

  • Standard library's image.Decode() (line 232) can handle various formats
  • If TIFF support is imported elsewhere, malicious TIFF files could trigger the vulnerability

API Compatibility:

  • ✅ The draw package API remains unchanged between v0.35.0 and v0.38.0
  • ✅ All existing function signatures are preserved
  • ✅ No breaking changes to the image scaling functionality used in this project

Test Results:

  • ✅ All tests pass: go test ./... completed successfully
  • ✅ Build succeeds: go build -o gat completed without errors
  • ✅ No compilation warnings or errors

Dependency Impact:

  • Minor transitive update to golang.org/x/text (v0.33.0 → v0.35.0)
  • No conflicts with other dependencies
  • Go version bump to 1.25.0 (project already uses toolchain go1.25.5)

💡 Recommended Actions

Immediate Actions:

  1. Merge this PR immediately - This is a security fix with no breaking changes
  2. The update is fully backward compatible and requires no code modifications
  3. All tests pass and the build is successful

Verification Steps (Already Completed):

  • ✅ Tests executed successfully
  • ✅ Build completed without errors
  • ✅ No API changes affecting the codebase
  • ✅ No TIFF-specific code in the project that needs updating

Security Benefits:

  • Protects against potential DoS attacks via malicious TIFF files
  • Even though gat primarily displays images via Sixel, the fix prevents memory exhaustion if TIFF decoding is triggered
  • Reduces attack surface for any user processing untrusted image files

Post-Merge:

  • No migration steps required
  • No configuration changes needed
  • Application behavior remains unchanged for legitimate files

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants