CVE-2017-12587

Vulnerability

In ImageMagick 7.0.6-1, the ReadPWPImage function in coders/pwp.c contains a large loop where filesize is computed from user-controlled bytes (magick[2], magick[1], magick[0]) and the loop iterates that many times calling ReadBlobByte without success checking [2]. This allows a crafted file to set filesize to an extremely large value (up to 65535*255), causing an excessive loop.

Exploitation

An attacker can exploit this by supplying a specially crafted image file to a user or automated system using ImageMagick [1]. No authentication is required; the victim only needs to open the file (e.g., via identify). The crafted file triggers the loop to run for an enormous number of iterations, each performing a potentially failing read operation [2].

Impact

Successful exploitation leads to denial of service due to CPU resource exhaustion [2]. The official Ubuntu advisory also notes that it could possibly allow arbitrary code execution with the privileges of the user running ImageMagick [1].

Mitigation

The vulnerability is fixed in ImageMagick updates released in Ubuntu 18.04 LTS and other distributions via USN-3681-1 [1]. Users should update their ImageMagick installation to the latest patched version. No workaround is documented besides applying the patch.