Information from LINE Corporation
Vulnerability ID:JVN#97845465
Title:Multiple integer overflow vulnerabilities in LINE(Android)
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
LINE (Android version) provided by LINE Corporation contains multiple integer overflow vulnerabilities. This caused by image decoding library that used by LINE Android.
- An integer overflow occurs when a specially crafted image is displayed in LINE Android.
- This may causes the application to potentially exploitable crash.
As far as we have confirmed, the thumbnail display on the talk screen is not affected and attacks require the user to explicitly display an image. This vulnerability could potentially allow arbitrary code execution but we have not succeeded in creating exploit codes that enable advanced attacks.
This issue was fixed in version 9.15.1 and later, released on September 5, 2019.
The security advisory for apng-drawable, one of the libraries that caused it, is as follows
- https://jvn.jp/en/jp/JVN39383894/index.html
This vulnerability was discovered within LINE.
The technical details by the discoverer is posted below.
- https://engineering.linecorp.com/ja/blog/intern-report-line-client/