CVE-2017-12664

Vulnerability

ImageMagick 7.0.6-2 contains a memory leak vulnerability in WritePALMImage within coders/palm.c. When converting an image to the PALM format, the function fails to properly free allocated memory for certain internal buffers, specifically QuantizeInfo and grayscale quantisation structures, under specific compression conditions. The issue affects ImageMagick version 7.0.6-2 [1][2].

Exploitation

An attacker can trigger the memory leak by providing a crafted input image file and using the convert command to write a PALM output (e.g., ./magick convert $FILE out.palm). No authentication or special privileges are required beyond the ability to run ImageMagick with a malicious file. The leak occurs during the normal image-processing pipeline, requiring no user interaction beyond executing the conversion command [1][2].

Impact

Successfully exploiting this vulnerability results in progressive memory consumption, potentially leading to resource exhaustion and denial-of-service on the system running ImageMagick. The leak does not enable arbitrary code execution or data corruption, but repeated conversions could exhaust available memory, causing software or system crashes [1][2].

Mitigation

The fix was committed to the ImageMagick repository on 2017-08-07 and is included in versions after 7.0.6-2. Users should upgrade to a patched release (e.g., 7.0.6-3 or later). No EOL or KEV listing is noted. If upgrading is not immediately possible, avoid processing untrusted image files with ImageMagick until the patch is applied [1][2].