| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 Nov 2019 11:28:39 +0100 From: Marcin Kozlowski <marcinguy@...il.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2019-11932 (double free in libpl_droidsonroids_gif) many apps vulnerable Hi list, CVE-2019-11932 is a vulnerability in the android-gif-drawable library. Yet the CVE text doesn't mention "android-gif-drawable". It only mentions WhatsApp. There could be over 28,400 free Android apps that use this library. And it seems that quite a few (24) of those 28k+ apps other than WhatsApp that use android-gif-drawable have install bases just as large as the WhatsApp install base (1 billion+, per Google Play). In example, Viber Version from Sep 2019 (11.6.0.15) is vulnerable to CVE-2019-11932 (double free in libpl_droidsonroids_gif) . Latest 11.9.1 not anymore. Stacktrace from vuln version: https://gist.github.com/marcinguy/c4ed223b27f0bd354b43ff23de875ffe Great work was made to compile list of apps using the framework: https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263 Patch it up folks Nice idea would be to create shodan or Wappalyzer search engine for Android Apps frameworks. Count me in, if you want to build something like this. Thanks, Marcin _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists