Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello all. We found a denial of service (DoS) issue in ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 , which can cause huge CPU consumption. (CPU 100%)
magick -version Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 http://www.imagemagick.org Copyright: © 1999-2018 ImageMagick Studio LLC License: http://www.imagemagick.org/script/license.php Features: Cipher DPC HDRI OpenMP Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib
The policy.xml is as following
<policymap> <policy domain="resource" name="temporary-path" value="/tmp"/> <policy domain="resource" name="memory" value="256MiB"/> <policy domain="resource" name="map" value="512MiB"/> <policy domain="resource" name="width" value="8KP"/> <policy domain="resource" name="height" value="8KP"/> <policy domain="resource" name="area" value="16KP"/> <policy domain="resource" name="disk" value="1GiB"/> <policy domain="resource" name="file" value="768"/> <policy domain="resource" name="thread" value="2"/> <policy domain="resource" name="throttle" value="0"/> <policy domain="resource" name="time" value="120"/> <policy domain="system" name="precision" value="6"/> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="filter" rights="none" pattern="*" /> <policy domain="delegate" rights="none" pattern="HTTPS" /> <policy domain="path" rights="none" pattern="@*"/> </policymap>
Trigger Command: magick convert ./cpu-exhaustion-GetImageIndexInList /dev/null
When debug we found a infinite loop in GetImageIndexInList at MagickCore/list.c:652
652 for (i=0; images->previous != (Image *) NULL; i++) (gdb) n 653 images=images->previous; (gdb) 652 for (i=0; images->previous != (Image *) NULL; i++) (gdb) 653 images=images->previous; (gdb) 652 for (i=0; images->previous != (Image *) NULL; i++) (gdb) 653 images=images->previous; (gdb) 652 for (i=0; images->previous != (Image *) NULL; i++) (gdb) 653 images=images->previous; (gdb) p images->previous $1 = (struct _Image *) 0x62700145b900 (gdb) n 652 for (i=0; images->previous != (Image *) NULL; i++) (gdb) 653 images=images->previous; (gdb) p images->previous $2 = (struct _Image *) 0x62700148c900 (gdb) n 652 for (i=0; images->previous != (Image *) NULL; i++) (gdb) 653 images=images->previous; (gdb) p images->previous $3 = (struct _Image *) 0x627001485900
testcase: https://github.com/henices/pocs/raw/master/cpu-exhaustion-GetImageIndexInList
NSFocus Security Team <security (at) nsfocus (dot) com>
The text was updated successfully, but these errors were encountered:
https://github.com/ImageMagick/ImageMagick/issues/910
b8fcb59
d95991f
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.
Sorry, something went wrong.
This was assigned CVE-2017-18273.
No branches or pull requests
INFO
Hello all.
We found a denial of service (DoS) issue in ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 , which can cause huge CPU consumption. (CPU 100%)
magick -version
Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib
The policy.xml is as following
Trigger Command: magick convert ./cpu-exhaustion-GetImageIndexInList /dev/null
DEBUG
When debug we found a infinite loop in GetImageIndexInList at MagickCore/list.c:652
testcase: https://github.com/henices/pocs/raw/master/cpu-exhaustion-GetImageIndexInList
NSFocus Security Team <security (at) nsfocus (dot) com>
The text was updated successfully, but these errors were encountered: