Android Question libpng library

[pesquera]

Hi, on my dev console there is a warning telling that I must update a library before 09/17/2016 because of some vulnerability

The library is this: libpgn

Do somebody already solved this?
Or, do somebody have an idea about how can I look into my app? into the Library Manager I can not fiigure it out

Info about the vilnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8540
Info about the library: http://libpng.sourceforge.net/index.html
Info into de dev console: https://support.google.com/faqs/answer/7011127

Thanks!

 

[Erel]

Which libraries are you using? Any video playing libraries?

 

[joilts]

I got the same message on my project. My libraries list is:

Animation (versio: 1.02)
BitmapExtended (version: 1.00)
ByteConverter (version: 1.10)
Camera (version: 2.20)
Core (version: 5.80)
CropImageView (version: 1.00)
http (version: 1.36)
JavaObject (version: 2.05)
jhsicezxing1 (version: 1.00)
JpegUtils (version: 1.00)
JSON (version: 1.10)
Phone (Version: 2.28)
Reflection (Version:2.40)
ScrollView2D (Version: 1.10)
SQL (version: 1.30)
StringUtils (version: 1.02)
TouchImageView (version: 2.11)
UISwitch (version: 1.00)
ViewSetting (version: 1.00)

This is the e-mail message I got:

Hello Google Play Developer,
We detected that your app(s) listed at the end of this email are using an unsafe version of the libpng library. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.
What’s happening
Beginning September 17, 2016, Google Play will block publishing of any new apps or updates that use vulnerable versions of libpng. Your published APK version will not be affected, however any updates to the app will be blocked unless you address this vulnerability.
Action required: Migrate your app(s) to use libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher as soon as possible and increment the version number of the upgraded APK.
Next steps
1.    Download the latest version of libpng from the libpng website.
2.    Sign in to your Developer Console and submit the updated version of your app.
3.    Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.
The vulnerability stems from an out of bounds memory access that could potentially lead to code execution. Versions 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 are affected.

 

[Erel]

Probably this one:
jhsicezxing1

 

[pesquera]

Hi, sorry for the delay.. here is my list:

 

[lemonisdead]

So it could be JpegUtils (version: 1.00) ?
Edit: I don't see something about libpng in

Edit1: it has to be confirmed by experts. The vulnerability is

Instead of direct struct-access, applications should be using the various png_get_xxx() and png_set_xxx() accessor functions, which have existed for almost as long as libpng itself.

source
I think I have found a direct access in BitmapExtended.jar (but still unsure)

 

[joilts]

So it could be JpegUtils (version: 1.00) ?
Edit: I don't see something about libpng in

Edit1: it has to be confirmed by experts. The vulnerability is
source
I think I have found a direct access in BitmapExtended.jar (but still unsure)

Sorry if its is a rookie question, but how can I track down where it is used? As lemonisdead said "I have found a direct....", how it can be done (found)?

 

[joilts]

Sorry to get back to this, but how can I seek my application for this lib?

 

[pesquera]

hello, I've published yesterday and that warning is not there any more
I was cleaning source and deleting some libraries, not used for me now: AnimationPlus, ToastMessageShow, StringUtils, PreferenceManager, MPL, MPLZooZ, MaskedEditText
Also, compiled with B4A v6.00
Please take a look, if you are using some of these libs.. hoping this can help