CVE-2017-11450

Vulnerability

In ImageMagick versions before 7.0.6-1, the ReadJPEGImage function in coders/jpeg.c does not verify that the input file is large enough to contain a valid JPEG datastream. When an attacker provides a JPEG file that is too short (less than 107 bytes), the JPEG library attempts to read beyond the available data, leading to an application crash or possibly other unspecified impacts [1][3]. The conditions are reachable by simply loading a malformed image file.

Exploitation

An attacker needs only to deliver a specially crafted JPEG file that is smaller than the minimal required size (107 bytes). No authentication or special privileges are required; the attack can be triggered by any user or process that causes ImageMagick to process the image, such as via a web upload or email attachment [1][2]. The sequence involves calling ReadJPEGImage on the undersized file, which then invokes the underlying JPEG library without proper size validation.

Impact

Successful exploitation results in a denial of service (application crash). The official description also notes the potential for unspecified other impact, though no proof-of-concept for code execution has been publicly documented [1][3]. The compromised process runs with the privileges of the user invoking ImageMagick.

Mitigation

ImageMagick version 7.0.6-1 and later include the fix (commit 948356eec65aea91995d4b7cc487d197d2c5f602), which adds a size check (GetBlobSize(image) < 107) to reject undersized files [1]. Debian and other distributions have backported fixes to older release series (e.g., 8:6.9.7.4+dfsg-11+deb9u1 for stretch) [3]. Users should upgrade to the latest available patched version for their distribution.