CVE-2017-18028

Vulnerability

In ImageMagick 7.0.7-1 Q16, the ReadTIFFImage function in coders/tiff.c allocates memory using AcquireQuantumMemory(columns, rows * sizeof(*tile_pixels)), where rows is derived directly from the input TIFF file. An attacker can craft a file with an extremely large rows value, causing excessive memory consumption and resulting in a denial of service. This affects ImageMagick versions prior to the fix included in Ubuntu updates referenced in [1] and as reported on GitHub [2].

Exploitation

An attacker needs only to provide a specially crafted TIFF file to a target system. If a user or automated system (e.g., image processing pipeline) opens the file with ImageMagick (e.g., via convert), the vulnerable code path is reached. No authentication or special privileges are required; the attack is remote if the file is delivered through email, web upload, or similar means. The critical parameter rows is controlled by the attacker, allowing memory exhaustion even if memory limits like 256MiB are set via policy.xml, as noted in [2].

Impact

Successful exploitation leads to denial of service due to memory exhaustion. According to the Ubuntu security notice [1], this vulnerability could also potentially allow arbitrary code execution with the privileges of the user running ImageMagick, although the primary reported impact is denial of service. The attacker gains no persistent access but can disrupt availability.

Mitigation

A fix is included in Ubuntu package updates released on 2018-07-10 [1]. Users should upgrade to the appropriate package version for their Ubuntu release (e.g., 8:6.9.7.4+dfsg-16ubuntu6.9 for 18.04 LTS). Upstream ImageMagick also addressed the issue; users should update to a version later than 7.0.7-1. No workaround is available other than applying the patch. This CVE is not listed in the KEV catalog.