CVE-2018-8804

Vulnerability

WriteEPTImage in coders/ept.c of ImageMagick 7.0.7-25 Q16 triggers a double-free when processing a crafted EPT file. The function calls WritePS2Image, which writes JPEG data; the double-free occurs via ResizeMagickMemory during memory reallocation in the JPEG compression termination [1][2]. The condition is reachable when a user converts a specially crafted image to an EPT format using tools like convert.

Exploitation

An attacker must trick a user or automated system (e.g., a web service using ImageMagick) into processing a malicious image file. No special privileges or network position are required; the exploit is triggered by simply opening or converting the crafted file, as demonstrated by a convert command [2]. The double-free is a memory corruption bug that can be reliably triggered without race conditions.

Impact

Successful exploitation causes a denial of service via application crash, as shown by the AddressSanitizer double-free error [2]. The Ubuntu advisory notes that this could also lead to arbitrary code execution with the privileges of the user invoking ImageMagick [1]. The impact is limited to the security context of the running application, potentially allowing an attacker to execute code or corrupt memory.

Mitigation

Ubuntu released fixed packages in USN-3681-1 (2018-08-16) for all supported releases, including 18.04 LTS (bionic) [1]. Users should upgrade to the latest ImageMagick version (e.g., imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu6.3) [1]. For other distributions, apply vendor patches or update to a version containing the fix. No workaround is available; the vulnerability is fully addressed by updating.