Update libpng in OpenCV 2.4.11 for Android


On the 16th of June 2016 we got the email this is in the quote block below from The Google Play Team.

The email said that our application Face Detection and Recognition, which uses OpenCV for Android is affected by a security bug of libpng that is bundled in version 2.4.11. At the time that this post was written, version 2.4.11 was the latest one and the last update time to it was 2015-03-05.

Since there was no bug fix at the time, we had to take action into patching our application. Below are the steps you need to follow to replicate the bug fix:

  1. Download Android NDK if you did not already, you will need it in the following steps. The Android NDK project page is https://developer.android.com/ndk/.
    We used version android-ndk-r12b-linux-x86_64.zip for Linux 64-bit (x86) from https://developer.android.com/ndk/downloads/. After you download it, unzip it and copy the path of the folder.
  2. Download a copy of the libpng for Android repository in zip format from here https://github.com/julienr/libpng-android/archive/master.zip. Please note that this repository is not an official OpenCV repository.
  3. Unzip the libpng for Android downloaded file. Go to [LIBPNG_FOR_ANDROID_FOLDER]/jni/ and using a text editor open file config.h. Find the values for the following 3 variables PACKAGE_STRING PACKAGE_VERSION VERSION and make sure that they have the correct version number. At the time this post was written, the author of the repository omitted to update those values from 1.4.1 to 1.6.23. ([download id=”2000″])
  4. Using a terminal go into the folder that was created and execute: ./build.sh
  5. In case you get the error ./build.sh: line 2: ndk-build: command not found then edit build.sh using a text editor and on line 2 add the full path to the file ndk-build that is in the folder of the Android NDK you unzipped before. After you do this change execute ./build.sh again.
  6. Inside each of the folders in [LIBPNG_FOR_ANDROID_FOLDER]/obj/local/ you will find a file called libpng.a.
    Copy those files while renaming them to liblibpng.a into the respective folders of the OpenCV library you are using in you project that are found here [OPENCV_FOLDER]/sdk/native/3rdparty/libs/.
    Inside [LIBPNG_FOR_ANDROID_FOLDER]/obj/local/ we found the following folders: arm64-v8a, armeabi, armeabi-v7a, mipsmips64, x86x86_64.
    We did not use all of them as in [OPENCV_FOLDER]/sdk/native/3rdparty/libs/ we only had armeabi, armeabi-v7a, mips, x86.
  7. Rebuild your applications, test them and if they are OK upload the new versions online.

Hello Google Play Developer,

We detected that your app(s) listed at the end of this email are using an unsafe version of the libpng library. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.

What’s happening

Beginning September 17, 2016, Google Play will block publishing of any new apps or updates that use vulnerable versions of libpng. Your published APK version will not be affected, however any updates to the app will be blocked unless you address this vulnerability.

Action required: Migrate your app(s) to use libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher as soon as possible and increment the version number of the upgraded APK.

Next steps

  1. Download the latest version of libpng from the libpng website.
  2. Sign in to your Developer Console and submit the updated version of your app.
  3. Check back after five hours – we’ll show a warning message if the app hasn’t been updated correctly.

The vulnerability stems from an out of bounds memory access that could potentially lead to code execution. Versions 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 are affected.

You can read more about the vulnerability in CVE-2015-8540. For other technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”

While these specific issues may not affect every app that uses libpng, it’s best to stay up to date on all security patches.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8540

We’re here to help

If you feel we have sent this warning in error, you can contact our developer support team.

Regards,

The Google Play Team

 

Affected app(s) and version(s) are listed below. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

net.bytefreaks.opencvfacerecognition   1

Related post by Google Play Team:

How to fix apps containing Libpng Vulnerability

This information is intended for developers of apps that utilize any version of libpng library, that contains a security vulnerability disclosed in CVE-2015-8540. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.

Please migrate your app(s) to libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher as soon as possible and increment the version number of the upgraded APK. Beginning Sep 17, 2016, Google Play will block publishing of any new apps or updates that use vulnerable versions of libpng. Your published app version will remain unaffected, however any updates to the app will be blocked unless they address this vulnerability.

Next steps

  1. Download the latest version of libpng from the libpng website.
  2. Sign in to your Developer Console and submit the updated version of your app.
  3. Check back after five hours – we’ll show a warning message if the app hasn’t been updated correctly. Note that some processing delays are common even if your app has fixed the vulnerability.

The vulnerability stems from an out of bounds memory access that could potentially lead to code execution. Versions 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 are affected.
You can read more about the vulnerability in CVE-2015-8540.

For other technical questions, you can post to Stack Overflow and use the tags “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.

While these specific issues may not affect every app that uses libpng, it’s best to stay up to date on all security patches. Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.

–From https://support.google.com/faqs/answer/7011127

This post is also available in: Greek

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.