On the 16th of June 2016 we got the email this is in the quote block below from The Google Play Team
.
The email said that our application Face Detection and Recognition, which uses OpenCV for Android is affected by a security bug of libpng that is bundled in version 2.4.11. At the time that this post was written, version 2.4.11 was the latest one and the last update time to it was 2015-03-05.
Since there was no bug fix at the time, we had to take action into patching our application. Below are the steps you need to follow to replicate the bug fix:
- Download
Android NDK
if you did not already, you will need it in the following steps. The Android NDK project page is https://developer.android.com/ndk/.
We used version android-ndk-r12b-linux-x86_64.zip for Linux 64-bit (x86) from https://developer.android.com/ndk/downloads/. After you download it, unzip it and copy the path of the folder. - Download a copy of the
libpng for Android
repository in zip format from here https://github.com/julienr/libpng-android/archive/master.zip. Please note that this repository is not an official OpenCV repository. - Unzip the
libpng for Android
downloaded file. Go to[LIBPNG_FOR_ANDROID_FOLDER]/jni/
and using a text editor open fileconfig.h
. Find the values for the following 3 variablesPACKAGE_STRING
PACKAGE_VERSION
VERSION
and make sure that they have the correct version number. At the time this post was written, the author of the repository omitted to update those values from1.4.1
to1.6.23
. ([download id=”2000″]) - Using a terminal go into the folder that was created and execute:
./build.sh
- In case you get the error
./build.sh: line 2: ndk-build: command not found
then editbuild.sh
using a text editor and on line 2 add the full path to the filendk-build
that is in the folder of theAndroid NDK
you unzipped before. After you do this change execute./build.sh
again. - Inside each of the folders in
[LIBPNG_FOR_ANDROID_FOLDER]/obj/local/
you will find a file calledlibpng.a
.
Copy those files while renaming them toliblibpng.a
into the respective folders of the OpenCV library you are using in you project that are found here[OPENCV_FOLDER]/sdk/native/3rdparty/libs/
.
Inside[LIBPNG_FOR_ANDROID_FOLDER]/obj/local/
we found the following folders:arm64-v8a
,armeabi
,armeabi-v7a
,mips
,mips64
,x86
,x86_64
.
We did not use all of them as in[OPENCV_FOLDER]/sdk/native/3rdparty/libs
/ we only hadarmeabi
,armeabi-v7a
,mips
,x86
. - Rebuild your applications, test them and if they are OK upload the new versions online.
Hello Google Play Developer,
We detected that your app(s) listed at the end of this email are using an unsafe version of the libpng library. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.
What’s happening
Beginning September 17, 2016, Google Play will block publishing of any new apps or updates that use vulnerable versions of libpng. Your published APK version will not be affected, however any updates to the app will be blocked unless you address this vulnerability.
Action required: Migrate your app(s) to use libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher as soon as possible and increment the version number of the upgraded APK.
Next steps
- Download the latest version of libpng from the libpng website.
- Sign in to your Developer Console and submit the updated version of your app.
- Check back after five hours – we’ll show a warning message if the app hasn’t been updated correctly.
The vulnerability stems from an out of bounds memory access that could potentially lead to code execution. Versions 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 are affected.
You can read more about the vulnerability in CVE-2015-8540. For other technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”
While these specific issues may not affect every app that uses libpng, it’s best to stay up to date on all security patches.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8540
We’re here to help
If you feel we have sent this warning in error, you can contact our developer support team.
Regards,
The Google Play Team
Affected app(s) and version(s) are listed below. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.
net.bytefreaks.
opencvfacerecognition 1
Related post by Google Play Team:
How to fix apps containing Libpng Vulnerability
This information is intended for developers of apps that utilize any version of libpng library, that contains a security vulnerability disclosed in CVE-2015-8540. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.
Please migrate your app(s) to libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher as soon as possible and increment the version number of the upgraded APK. Beginning Sep 17, 2016, Google Play will block publishing of any new apps or updates that use vulnerable versions of libpng. Your published app version will remain unaffected, however any updates to the app will be blocked unless they address this vulnerability.
Next steps
- Download the latest version of libpng from the libpng website.
- Sign in to your Developer Console and submit the updated version of your app.
- Check back after five hours – we’ll show a warning message if the app hasn’t been updated correctly. Note that some processing delays are common even if your app has fixed the vulnerability.
The vulnerability stems from an out of bounds memory access that could potentially lead to code execution. Versions 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 are affected.
You can read more about the vulnerability in CVE-2015-8540.For other technical questions, you can post to Stack Overflow and use the tags “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.
While these specific issues may not affect every app that uses libpng, it’s best to stay up to date on all security patches. Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.
This post is also available in: Αγγλικα