LJT01003: CPU Overconsumption Using Extraneous Progressive Scans
LJT01004: Memory Overconsumption Using Large Images
Now I think these should get a GSD identifier, ideally against the specification (e.g. ISO/IEC 10918-1 | ITU-T Recommendation T.81)
But what do we do about all the affected vendors (to say a lot of things implement jpeg processing software would be an understatement)? I feel like this is the log4j situation all over (1000+ vendors/products), a GSD in the multi-megabyte range is less than ideal, I suspect the best solution is to break it up into multiple GSD entries with relationship data (e.g. "child of") at least at a vendor/project level, possibly further if needed.
I also feel like a major part of this would be having proper machine-readable data about what is affected (e.g. CPE/Purl/SWID/whatever) to make machine parsing possible, and obviously, we would want to provide a search capability longer-term (we technically already do via GitHub's search but you can't use operators and patterns easily).