CVE-2020-27829

Vulnerability

A heap buffer overflow exists in coders/tiff.c of ImageMagick before version 7.0.10-45 [1]. When processing a specially crafted TIFF image, the function ReadTIFFImage allocates insufficient memory for pixel data (strip_pixels) due to an underestimated size calculation, leading to a heap overflow [2]. The overflow occurs in the code path triggered by reading a TIFF file with specific attributes that cause extent to be computed based on image->columns multiplied by sizeof(uint32), but the allocation was only for sizeof(*strip_pixels) instead of 2*sizeof(*strip_pixels) [2].

Exploitation

An attacker needs to deliver a malicious TIFF image to a user or process that uses ImageMagick to decode it (e.g., through a web application or image upload). No authentication or special privileges are required if the victim processes the file. The exploitation involves the application calling the vulnerable ReadTIFFImage function, which under-allocates memory and then writes data beyond the allocated buffer [2]. This can be triggered remotely by convincing the victim to open or process the crafted TIFF file.

Impact

Successful exploitation results in a heap buffer overflow, which can cause a program crash, leading to denial of service [1]. The vulnerability is classified as having a medium severity. The CIA impact is primarily availability (denial of service); however, under certain circumstances, heap overflows can be exploited for arbitrary code execution, though this is not confirmed in the references.

Mitigation

The vulnerability is fixed in ImageMagick version 7.0.10-45 [2]. Users should upgrade to this version or later. For Red Hat Enterprise Linux users, Red Hat Product Security marked this as 'WONTFIX' for certain versions due to it being in a security response tracker, meaning they may not provide a backported fix; users should consult their vendor [1]. No workarounds are provided in the references.