CVE-2017-12663

Vulnerability

ImageMagick version 7.0.6-2 contains a memory leak vulnerability in the WriteMAPImage function within coders/map.c [1][2]. When memory allocation for pixels or colormap fails, the function does not properly free previously allocated memory before raising a ThrowWriterException [1]. This results in a memory leak each time the error path is triggered [2].

Exploitation

An attacker can trigger this vulnerability by providing a crafted image file that causes the WriteMAPImage function to fail during memory allocation [2]. The attack requires no authentication and can be performed remotely if the attacker can submit an image to be processed by ImageMagick (e.g., via a web application that uses ImageMagick to convert images) [2]. The exploitation does not require user interaction beyond normal processing of the malicious file [2].

Impact

A successful exploit allows an attacker to cause a memory leak, which can lead to resource exhaustion and denial of service [2]. Repeated exploitation can deplete available memory, making the service unresponsive [2]. The impact is limited to availability; there is no evidence of information disclosure or code execution [1][2].

Mitigation

The vulnerability was fixed in a commit on the ImageMagick master branch [1]. Users should upgrade to a version that includes this fix (version 7.0.6-3 or later) [1]. If immediate upgrade is not possible, users can restrict processing of untrusted image files as a workaround [2].