CVE-2017-18252

Vulnerability

The vulnerability resides in the MogrifyImageList function in MagickWand/mogrify.c of ImageMagick 7.0.7. When processing a specially crafted image file, CloneImage can return a NULL pointer, which is then passed to ReplaceImageInList. The latter function contains an assertion (assert(replace != (Image *) NULL)) that triggers a crash when the assertion fails, causing the application to exit [2]. This code path is reachable when ImageMagick processes a malformed image file.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious image file that triggers the NULL return from CloneImage. The attacker does not require any special network position or authentication; the attack vector is local or remote if the victim's system processes the file automatically (e.g., via a web service or email attachment). The user or automated system must be tricked into opening the crafted image with ImageMagick [1].

Impact

Successful exploitation results in a denial of service due to the assertion failure and application exit. According to the Ubuntu security advisory, this vulnerability may also potentially allow arbitrary code execution with the privileges of the user invoking the program [1]. The exact impact depends on the context in which ImageMagick is used.

Mitigation

The issue is fixed in ImageMagick versions released after 7.0.7. Ubuntu users can update to the patched package versions provided in USN-3681-1 (e.g., 8:6.9.7.4+dfsg-16ubuntu6.1 for Ubuntu 18.04 LTS) [1]. No workaround is documented; the recommended mitigation is to apply the available updates.