ASA-2019-00554 – WhatsApp: Double free vulnerability in the DDGifSlurp function


Allele Security Alert

ASA-2019-00554

Identifier(s)

ASA-2019-00554, CVE-2019-11932

Title

Double free vulnerability in the DDGifSlurp function

Vendor(s)

Facebook

Product(s)

Facebook WhatsApp

Affected version(s)

WhatsApp for Android versions before 2.19.24

Fixed version(s)

WhatsApp for Android version 2.19.24

Proof of concept

Yes

Description

A double free vulnerability in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif before 1.2.15, as used in WhatsApp for Android before 2.19.244, allows remote attackers to execute arbitrary code or cause a denial of service.

Technical details

Unknown

Credits

Awakened

Reference(s)

How a double-free bug in WhatsApp turns to RCE
https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/

Simple POC for exploiting WhatsApp double-free bug in DDGifSlurp in decoding.c in libpl_droidsonroids_gif
https://github.com/awakened1712/CVE-2019-11932

CVE-2019-11932
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11932

CVE-2019-11932
https://nvd.nist.gov/vuln/detail/CVE-2019-11932

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 14, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.