CVE-2019-11932

Published: Oct 3, 2019Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.

Affected (2)

Products: Whatsapp: Whatsapp · Android Gif Drawable Project: Android Gif Drawable

1 product

Android Gif Drawable Project

1 product

Android Gif Drawable

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Whatsapp Whatsapp	Before 2.19.244

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Android Gif Drawable Project Android Gif Drawable	Before 1.2.18

Related CWEs

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

References (18)

http://packetstormsecurity.com/files/154867/Whatsapp-2.19.216-Remote-Code-Execution.html

Source: cve-assign@fb.com

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/158306/WhatsApp-android-gif-drawable-Double-Free.html

Source: cve-assign@fb.com

Third Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2019/Nov/27

Source: cve-assign@fb.com

Mailing ListThird Party Advisory

https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/

Source: cve-assign@fb.com

ExploitThird Party Advisory

https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263

Source: cve-assign@fb.com

Third Party Advisory

https://github.com/koral--/android-gif-drawable/commit/cc5b4f8e43463995a84efd594f89a21f906c2d20

Source: cve-assign@fb.com

PatchThird Party Advisory

https://github.com/koral--/android-gif-drawable/pull/673

Source: cve-assign@fb.com

Third Party Advisory

https://github.com/koral--/android-gif-drawable/pull/673/commits/4944c92761e0a14f04868cbcf4f4e86fd4b7a4a9

Source: cve-assign@fb.com

Third Party Advisory

https://www.facebook.com/security/advisories/cve-2019-11932

Source: cve-assign@fb.com

Third Party Advisory

http://packetstormsecurity.com/files/154867/Whatsapp-2.19.216-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/158306/WhatsApp-android-gif-drawable-Double-Free.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2019/Nov/27

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/koral--/android-gif-drawable/commit/cc5b4f8e43463995a84efd594f89a21f906c2d20

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/koral--/android-gif-drawable/pull/673

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/koral--/android-gif-drawable/pull/673/commits/4944c92761e0a14f04868cbcf4f4e86fd4b7a4a9

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.facebook.com/security/advisories/cve-2019-11932

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.