Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Android-Gif-Drawable Double-Free Vulnerability

🗓️ 29 Nov 2019 00:00:00Reported by Marcin KozlowskiType 
zdt
 zdt🔗 0day.today👁 316 Views

Android-Gif-Drawable Vulnerability in 28k+ Android App

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Double Free in Whatsapp
5 Oct 201906:24
githubexploit
GithubExploit		Exploit for Double Free in Whatsapp
3 Oct 201909:26
githubexploit
GithubExploit		Exploit for Double Free in Whatsapp
15 Dec 201917:21
githubexploit
GithubExploit		Exploit for Double Free in Whatsapp
4 Oct 201913:45
githubexploit
GithubExploit		Exploit for Double Free in Whatsapp
4 Oct 201915:19
githubexploit
GithubExploit		Exploit for Double Free in Whatsapp
16 Oct 201910:04
githubexploit
GithubExploit		Exploit for Double Free in Whatsapp
6 Oct 201914:54
githubexploit
GithubExploit		Exploit for Double Free in Whatsapp
23 Oct 201908:02
githubexploit
GithubExploit		Exploit for Double Free in Whatsapp
22 Apr 202021:11
githubexploit
GithubExploit		Exploit for Double Free in Whatsapp
19 Mar 202116:41
githubexploit
Rows per page
Hi list,

CVE-2019-11932 is a vulnerability in the android-gif-drawable library. Yet
the CVE text doesn't mention "android-gif-drawable". It only mentions
WhatsApp. There could be over 28,400 free Android apps that use this
library.

And it seems that quite a few (24) of those 28k+ apps other than WhatsApp
that use android-gif-drawable have install bases just as large as the
WhatsApp install base (1 billion+, per Google Play).

In example, Viber Version from Sep 2019 (11.6.0.15) is vulnerable to
CVE-2019-11932 (double free in libpl_droidsonroids_gif) . Latest 11.9.1 not
anymore. Stacktrace from vuln version:
https://gist.github.com/marcinguy/c4ed223b27f0bd354b43ff23de875ffe

Great work was made to compile list of apps using the framework:

https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263

Patch it up folks

Nice idea would be to create shodan or Wappalyzer search engine for Android
Apps frameworks. Count me in, if you want to build something like this.


Thanks,
Marcin

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Nov 2019 00:00Current
0.6Low risk
Vulners AI Score0.6
CVSS 26.8
CVSS 3.18.8
EPSS0.70962
android-gif-drawablevulnerabilitywhatsappinstall basesvibercve-2019-11932frameworks
316