uCrop icon indicating copy to clipboard operation
uCrop copied to clipboard

Published 20 hours ago verified publisher icon Yalantis

Outdated "libpng" Library Contains Known Security Flaw

Open A-Yatsyk opened this issue 2 years ago • 4 comments

Description

Current behavior:

Library appears to be using an outdated version of "libpng" (1.6.22), which contains a known severe vulnerability.

Expected behavior:

The "libpng" version has been updated to at least 1.6.32

Version

uCrop: 2.2.8-native

A-Yatsyk avatar Jun 08 '22 14:06 A-Yatsyk

@shliama do you have any idea how to do it in the ucrop package? To be honest I tried but after half a day I have no clue @A-Yatsyk

alicja-mruk avatar Jan 23 '23 20:01 alicja-mruk

@dmitriy1morozov Can you help?

alicja-mruk avatar Jan 24 '23 18:01 alicja-mruk

@alicja-mruk as far as I remember (complied these native libs 6 years ago) - all the 3rd-party libraries like libpng & libjpeg were static global dependencies (basically, C++ files on my laptop) that were compiled into the .so files https://github.com/Yalantis/uCrop/tree/develop/ucrop/src/main/jniLibs as per config file https://github.com/Yalantis/uCrop/blob/develop/ucrop/src/main/jni/Android.mk

In order to recompile the files inside the jniLibs folder, one should have the latest libpng & libjpeg dependencies available on their development machine, updated Android.mk & Application.mk scripts, some luck & use ndk build.

Easier said than done, but that's how the opens source works.

shliama avatar Jan 25 '23 07:01 shliama

@shliama I tried to do it for 2 days and I gave up do if someone will handle that please ping me and describe step by step how to do it

alicja-mruk avatar Jan 25 '23 09:01 alicja-mruk