CVE-2017-12668

Vulnerability

ImageMagick version 7.0.6-2 contains a memory leak vulnerability in the WritePCXImage function in coders/pcx.c [1]. When converting an image to the PCX format, memory allocated for pcx_colormap (in AcquireQuantumMemory at line 987) is not properly freed if a subsequent memory allocation for pixel_info fails. This results in a direct leak of 768 bytes per failed operation, as confirmed by AddressSanitizer traces [1].

Exploitation

An attacker can trigger this vulnerability by providing a crafted image file to ImageMagick's convert utility and requesting PCX output (./magick convert $FILE out.pcx) [1]. The attacker does not require authentication or special privileges; any user who can invoke ImageMagick image processing on arbitrary files can exploit it. The exploitation sequence involves the application performing the PCX write operation under conditions that cause the second memory allocation to fail, thus leaking the previously allocated colormap memory.

Impact

Successful exploitation results in a memory leak, which over multiple image conversions can lead to resource exhaustion (denial of service). The vulnerability is rated High (CVSS v3 8.8) due to the low attack complexity and network attack vector via file upload vector [1]. While no remote code execution or data disclosure is directly possible, the memory exhaustion can cause the application or system to become unresponsive.

Mitigation

The fix was committed in commit 2ba8f335fa06daf1165e0878462686028e633a74 [2]. The patch adds a call to RelinquishMagickMemory(pcx_colormap) before throwing the ResourceLimitError exception when the virtual memory allocation for pixel_info fails [2]. Users should upgrade to a version of ImageMagick later than 7.0.6-2 that includes this commit. No workaround is available other than avoiding PCX output untrusted images before patching.