What is CVE-2018-10177?

CVE-2018-10177 is a vulnerability in ImageMagick that allows a remote attacker to cause a denial of service by exploiting an infinite loop in the ReadOneMNGImage function of the coders/png.c file.

How can this vulnerability be exploited?

This vulnerability can be exploited by persuading a victim to open a specially-crafted mng file.

What is the severity of CVE-2018-10177?

The severity of CVE-2018-10177 is medium with a CVSS score of 6.5.

Which software versions are affected by CVE-2018-10177?

ImageMagick 7.0.7-28 and IBM Data Risk Manager version up to 2.0.6 are affected by CVE-2018-10177.

How can I fix CVE-2018-10177?

To fix CVE-2018-10177, update to ImageMagick version 8:6.8.9.9-7ubuntu5.11 or later, or apply the relevant patch provided by your software vendor.

Vulnerability/
CVE-2018-10177

medium

6.5

CWE

835

16/4/2018

13/8/2021

CVE-2018-10177

First published: Mon Apr 16 2018(Updated: )

ImageMagick is vulnerable to a denial of service, caused by an error in the ReadOneMNGImage function of the coders/png.c file. By persuading a victim to open a specially-crafted mng file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
IBM Data Risk Manager	<=2.0.6
ImageMagick ImageMagick	=7.0.7-28
Canonical Ubuntu Linux	=14.04
Canonical Ubuntu Linux	=16.04
Canonical Ubuntu Linux	=17.10
Canonical Ubuntu Linux	=18.04
ubuntu/imagemagick	<8:6.9.7.4+dfsg-16ubuntu2.2	8:6.9.7.4+dfsg-16ubuntu2.2
ubuntu/imagemagick	<8:6.9.7.4+dfsg-16ubuntu6.2	8:6.9.7.4+dfsg-16ubuntu6.2
ubuntu/imagemagick	<8:6.7.7.10-6ubuntu3.11	8:6.7.7.10-6ubuntu3.11
ubuntu/imagemagick	<8:6.8.9.9-7ubuntu5.11	8:6.8.9.9-7ubuntu5.11
debian/imagemagick		8:6.9.10.23+dfsg-2.1+deb10u1 8:6.9.10.23+dfsg-2.1+deb10u7 8:6.9.11.60+dfsg-1.3+deb11u2 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6 8:6.9.11.60+dfsg-1.6+deb12u1 8:6.9.12.98+dfsg1-5.2

Remedy

https://github.com/ImageMagick/ImageMagick/commit/9fdda6391e38aaad3bfd6a30bd6a72bd31aeee02

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2018-10177?
CVE-2018-10177 is a vulnerability in ImageMagick that allows a remote attacker to cause a denial of service by exploiting an infinite loop in the ReadOneMNGImage function of the coders/png.c file.
How can this vulnerability be exploited?
This vulnerability can be exploited by persuading a victim to open a specially-crafted mng file.
What is the severity of CVE-2018-10177?
The severity of CVE-2018-10177 is medium with a CVSS score of 6.5.
Which software versions are affected by CVE-2018-10177?
ImageMagick 7.0.7-28 and IBM Data Risk Manager version up to 2.0.6 are affected by CVE-2018-10177.
How can I fix CVE-2018-10177?
To fix CVE-2018-10177, update to ImageMagick version 8:6.8.9.9-7ubuntu5.11 or later, or apply the relevant patch provided by your software vendor.

collector/ibm-support
collector/nvd-index
agent/author
agent/type
agent/last-modified-date
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2018-10177
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
agent/event
agent/severity
agent/remedy
agent/weakness
agent/references
agent/description
agent/tags
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/usn-cve
source/Ubuntu
vendor/ibm
canonical/ibm data risk manager
version/ibm data risk manager/2.0.6
vendor/imagemagick
canonical/imagemagick imagemagick
version/imagemagick imagemagick/7.0.7-28
vendor/canonical
canonical/canonical ubuntu linux
version/canonical ubuntu linux/14.04
version/canonical ubuntu linux/16.04
version/canonical ubuntu linux/17.10
version/canonical ubuntu linux/18.04
package-manager/debian
package-manager/ubuntu