CVE-2022-32546

Vulnerability

The vulnerability resides in ImageMagick's PCL coder, specifically in the file coders/pcl.c, where crafted or untrusted input can cause an outside the range of representable values of type unsigned long [1]. This undefined behavior affects ImageMagick versions prior to the fix. The issue occurs when processing specially crafted PCL files, leading to an arithmetic overflow or similar condition that the code does not handle safely [1].

Exploitation

An attacker can exploit this by providing a malicious PCL file to ImageMagick for processing. No authentication or special privileges are required; the attacker only needs to convince a user or system to process the crafted file (e.g., via email, web upload, or command-line invocation). The condition is triggered when the parser encounters values that exceed the representable range of unsigned long, causing undefined behavior [1].

Impact

Successful exploitation can lead to a negative impact on application availability, such as a crash or denial of service. Due to the undefined behavior, other unpredictable consequences may also occur, but the primary impact is availability degradation [1].

Mitigation

Red Hat has marked this issue as WONTFIX for Red Hat Enterprise Linux 6, 7, and 8, indicating that no fix will be provided for those affected versions [1]. Users are advised to update ImageMagick to a version containing the fix, or to avoid processing untrusted PCL files as a workaround [1].