CVE-2017-12642

Vulnerability

ImageMagick version 7.0.6-1 contains a memory leak vulnerability in the ReadMPCImage function located in coders/mpc.c [1]. The leak occurs when processing specially crafted MPC (Magick Persistent Cache) image files, triggered during image identification operations [1]. The memory is allocated via AcquireMagickMemory and AcquireQuantumMemory but is never properly freed, leading to accumulation of allocated memory [1]. This affects all configurations that use identify, convert, or similar ImageMagick commands on untrusted MPC files [1].

Exploitation

An attacker can trigger the vulnerability by supplying a malicious MPC file to an application or service that uses ImageMagick to process images [1]. No authentication or special privileges are required if the attacker can upload or provide an image file for processing. The attack vector is typically remote via file upload or user interaction. When ImageMagick parses the crafted MPC file with identify or similar commands, the code path in ReadMPCImage at lines 625-627 of mpc.c allocates memory for linked-list structures and strings without releasing them on all exit paths, resulting in a direct leak of 56 bytes and indirect leaks of 4128 bytes and 64 bytes per invocation [1].

Impact

Successfully exploiting this vulnerability leads to a memory leak, causing the ImageMagick process to consume increasing amounts of memory [1]. This can result in a denial of service (DoS) condition by exhausting available system memory, potentially affecting the stability of the host or other processes [1]. The impact is limited to availability; confidentiality and integrity are not directly compromised. No code execution or privilege escalation is possible via this vulnerability alone [1].

Mitigation

As of the publication date, the issue was reported to the ImageMagick project, and a fix was expected in a subsequent release [1]. Users should update ImageMagick to a version newer than 7.0.6-1 once a patched version becomes available. If immediate patching is not possible, workarounds include restricting the processing of untrusted MPC files, using security policies to limit memory allocation, or employing a sandboxed environment for ImageMagick operations [1].