CVE-2017-13758

Vulnerability

In ImageMagick 7.0.6-10, the TracePoint() function in MagickCore/draw.c contains a heap-based buffer overflow. The bug occurs when processing malformed SVG image files that ultimately invoke the TraceEllipse or TraceCircle path, leading to a write of 8 bytes beyond the allocated heap buffer. The vulnerability is reachable via the convert command and other tools that call ReadSVGImage. The issue affects ImageMagick versions prior to the fix in commit b0323e6509f4530a228c8788db11a49ff9255b69 [2].

Exploitation

An attacker can trigger the overflow by crafting a specially malformed SVG file. The user (or automated system) must open or process this file with ImageMagick (e.g., via the convert im_hbo_TracePoint.svg /dev/null command). No authentication is required; the attack vector is remote if the attacker can deliver the file and convince the victim to process it. The fuzzing report shows AddressSanitizer confirming a heap-buffer-overflow at TracePoint during execution [2].

Impact

Successful exploitation can result in a denial of service (crash) or, potentially, arbitrary code execution with the privileges of the user running ImageMagick [1]. The scope is limited to the integrity and confidentiality of the affected system, depending on the exploit payload. The overflow write size is fixed (8 bytes), but control over the content may allow an attacker to corrupt sensitive data or hijack control flow.

Mitigation

The vulnerability is fixed in ImageMagick commit b0323e6509f4530a228c8788db11a49ff9255b69 and in later releases. Canonical released an Ubuntu Security Notice (USN-3681-1) with updated packages for Ubuntu 18.04 LTS (imagemagick version 8:6.9.7.4+dfsg-16ubuntu6.1) and other supported releases [1]. Gentoo published GLSA 201711-07 recommending upgrade to >=media-gfx/imagemagick-6.9.9.20 or later [3]. Users should update ImageMagick to the latest patched version. If an immediate update is not possible, avoid processing untrusted SVG files with affected versions.