ImageMagick Denial-of-Service Vulnerability Due to Divide-by-Zero in Thumbnail Processing

A denial-of-service vulnerability has been identified in ImageMagick versions prior to 6.9.13-28 and 7.1.2-2. The issue arises when a geometry string containing only a colon is passed to the 'montage' command. This input is improperly parsed, leading to a width and height of zero. Subsequently, the 'ThumbnailImage' function attempts to resize an image using these dimensions, causing a divide-by-zero error that crashes the application. The vulnerability can be exploited without any external input files, using a simple command that includes the 'montage' geometry option. The ImageMagick process then terminates abnormally, such as with a SIGFPE signal, indicating a floating-point exception.

Impact

Exploitation of this vulnerability causes an immediate crash of the ImageMagick process, disrupting any ongoing image processing tasks.

Reproduction

To reproduce this vulnerability, use the 'montage' command with the '-geometry' option set to a single colon. This can be done by running 'magick montage -geometry : xc:white null:'. The command will fail with a divide-by-zero error, causing ImageMagick to crash.

Remediation

Users can upgrade to ImageMagick versions 6.9.13-28 or 7.1.2-2 to address this vulnerability.