[Japanese]

JVNDB-2019-000060

Multiple integer overflow vulnerabilities in LINE(Android)

Overview

LINE(Android) provided by LINE Corporation contains multiple integer overflow vulnerabilities (CWE-190) listed below.
* Integer overflow vulnerability in processing images using apng-drawable - CVE-2019-6007
* Integer overflow vulnerability in processing images - CVE-2019-6010

LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2019-6010

CVSS V3 Severity:
Base Metrics: 5.3 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2019-6007
Affected Products


LINE Corporation
  • LINE (Android) from 4.4.0 to the version before 9.15.1

Impact

Having a user read a specially crafted image on LINE Android may cause the application to crash, or may lead arbitrary code being executed by a remote attacker.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
The developer states that fixes for several bugs and issues are also contained in the updated version, thus the developer recommends users to apply the update.
Vendor Information

LINE Corporation
CWE (What is CWE?)

  1. Numeric Errors(CWE-189) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2019-6007
  2. CVE-2019-6010
References

  1. JVN : JVN#97845465
  2. National Vulnerability Database (NVD) : CVE-2019-6007
  3. National Vulnerability Database (NVD) : CVE-2019-6010
Revision History

  • [2019/09/19]
      Web page was published
  • [2019/10/08]
      References : Content was added
  • [2019/10/18]
      Vendor Information : Content was added

Date Public2019/09/19
Date First Published2019/09/19
Date Last Updated2019/10/18