Memory leak in ImageMagick

#VU6836 Memory leak in ImageMagick

Published: 2017-05-26 | Updated: 2017-05-30

Vulnerability identifier: #VU6836

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-9098

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ImageMagick
Client/Desktop applications / Multimedia software

Vendor: ImageMagick.org

Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak in in the RLE decoder in ImageMagick before 7.0.5-2 . A remote attacker can create create a specially crafted image file and gain access to certain parts of memory and trigger application crash.

Mitigation
Update to version 7.0.5-2.

Vulnerable software versions

ImageMagick: 7.0.5-0 - 7.0.5-1

CPE

cpe:2.3:a:imagemagick_org:imagemagick:7.0.5-0:*:*:*:*:*:*:*

External links
http://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Debian update for ImageMagick

Ubuntu update for ImageMagick

Denial of service in ImageMagic