Published: 2019/09/12  Last Updated: 2019/10/16

Information from LINE Corporation

Vulnerability ID:JVN#39383894
Title:apng-drawable vulnerable to integer overflow
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

apng-drawable contains an integer overflow vulnerability.

- An integer overflow occurs when a specially crafted image is displayed using apng-drawable.
- This may causes the application to crash and it can also cause arbitrary code execution.
- An attack vector and impact vary depending on how the library is used.

The fix for this vulnerability is here
- https://github.com/line/apng-drawable/pull/57

Release notes
- https://github.com/line/apng-drawable/releases/tag/v1.7.0

LINE(Android version) was affected by this vulnerability.
- https://jvn.jp/en/jp/JVN97845465/index.html

This vulnerability was discovered within LINE Corporation.
The technical details by the discoverer is posted below
- https://engineering.linecorp.com/ja/blog/intern-report-line-client/

update history

2019/10/16