lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 23 Nov 2019 11:28:39 +0100
From: Marcin Kozlowski <>
Subject: [FD] CVE-2019-11932 (double free in libpl_droidsonroids_gif) many
	apps vulnerable

Hi list,

CVE-2019-11932 is a vulnerability in the android-gif-drawable library. Yet
the CVE text doesn't mention "android-gif-drawable". It only mentions
WhatsApp. There could be over 28,400 free Android apps that use this

And it seems that quite a few (24) of those 28k+ apps other than WhatsApp
that use android-gif-drawable have install bases just as large as the
WhatsApp install base (1 billion+, per Google Play).

In example, Viber Version from Sep 2019 ( is vulnerable to
CVE-2019-11932 (double free in libpl_droidsonroids_gif) . Latest 11.9.1 not
anymore. Stacktrace from vuln version:

Great work was made to compile list of apps using the framework:

Patch it up folks

Nice idea would be to create shodan or Wappalyzer search engine for Android
Apps frameworks. Count me in, if you want to build something like this.


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists