[GHSA-x534-j49x-mqvj] A double free vulnerability in the DDGifSlurp function in... #5162
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,19 +1,43 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-x534-j49x-mqvj", | ||
| "modified": "2023-03-09T05:05:46Z", | ||
| "published": "2022-05-24T16:57:50Z", | ||
| "aliases": [ | ||
| "CVE-2019-11932" | ||
| ], | ||
| "summary": "Double free in android-gif-drawable", | ||
| "details": "A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.", | ||
|
Comment on lines
-9
to
+10
There was a problem hiding this comment. General question: Are changes from NVD not synced back here? According to https://nvd.nist.gov/vuln/detail/cve-2019-11932#VulnChangeHistorySection this change already happened in 2019. (Though the NVD entry has some issues, it contains multiple duplicate reference links.) |
||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "pl.droidsonroids.gif:android-gif-drawable" | ||
|
There was a problem hiding this comment. Is this enough for Dependabot to notice this, and for it to be synced to https://osv.dev/vulnerability/CVE-2019-11932? If not, could you please review this advisory so it goes from "unreviewed" to "github-reviewed"? There was a problem hiding this comment.
Probably has no effect on osv.dev unfortunately, see google/osv.dev#3049. |
||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.2.18" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "< 1.2.18" | ||
| } | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
|
|
@@ -39,6 +63,10 @@ | |
| "type": "WEB", | ||
| "url": "https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/koral--/android-gif-drawable" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.facebook.com/security/advisories/cve-2019-11932" | ||
|
|
@@ -65,4 +93,4 @@ | |
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2019-10-03T22:15:00Z" | ||
| } | ||
| } | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure why this
modifiedvalue changed, and why it uses a date from 2023. I just copied this from #5161 where it was automatically changed like this.