x/vulndb: potential Go vuln in github.com/SimonWaldherr/zplgfa: CVE-2023-36307

[GoVulnBot]

CVE-2023-36307 references github.com/SimonWaldherr/zplgfa, which may be a Go module.

Description:
** DISPUTED ** ZPLGFA 1.1.1 allows attackers to cause a panic (because of an integer index out of range during a ConvertToGraphicField call) via an image of zero width. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequence

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-36307
• JSON: https://github.com/CVEProject/cvelist/tree/3a8dcd848ada969b6e2122f84fd50ebbdba3e24f/2023/36xxx/CVE-2023-36307.json
• fix: Program crashes when processing certain maliciously crafted images SimonWaldherr/zplgfa#6
• Imported by: https://pkg.go.dev/github.com/SimonWaldherr/zplgfa?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/SimonWaldherr/zplgfa
      vulnerable_at: 1.1.1
      packages:
        - package: n/a
description: |-
    ** DISPUTED ** ZPLGFA 1.1.1 allows attackers to cause a panic (because of an
    integer index out of range during a ConvertToGraphicField call) via an image of
    zero width. NOTE: it is unclear whether there are common use cases in which this
    panic could have any security consequence
cves:
    - CVE-2023-36307
references:
    - fix: https://github.com/SimonWaldherr/zplgfa/pull/6

[gopherbot]

Change https://go.dev/cl/527176 mentions this issue: data/excluded: batch add 14 excluded reports