CVE-2017-14175

Vulnerability

In coders/xbm.c of ImageMagick 7.0.6-1 Q16, the ReadXBMImage() function lacks an End of File (EOF) check inside a loop over image rows. When a crafted XBM file claims large rows and columns fields in its header but does not contain sufficient backing data, the loop at line 345 consumes huge CPU resources. The affected code is specifically in the XBMInteger() function and the loop that parses image data. Versions prior to the commit d9a8234 are vulnerable. [1][2][3]

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted XBM image file to a user or automated system that uses ImageMagick (e.g., via the convert command). The crafted image requires no special authentication or network position; the victim simply opens or processes the image. The attacker must ensure the XBM header specifies large dimensions (rows and columns) while the data stream ends prematurely. When the application calls ReadXBMImage(), it enters the row loop and continuously reads from the blob without checking for EOF, leading to a hang that consumes 100% CPU and significant memory (up to 4 GB). [1][2][3]

Impact

Successful exploitation causes a denial of service (DoS) condition. The consuming process uses 100% CPU and up to 4 GB of memory, potentially rendering the system unresponsive. No code execution or data disclosure is indicated from the available references. The impact is limited to availability. [1][3]

Mitigation

A fix was committed to the ImageMagick repository in commit d9a8234 (2017-09-07), which modifies XBMInteger() to return -1 on EOF instead of 0, and updates the loop to check for this. Ubuntu published a security update (USN-3681-1) on 2018-06-18 for versions prior to 8:6.9.7.4+dfsg-16ubuntu6.7 (18.04 LTS) and similar for other releases. Gentoo issued GLSA 201711-07, recommending upgrade to >=media-gfx/imagemagick-6.9.9.20. Users should update to the latest patched version. There is no known workaround. [1][2][4]