11

I got an email from Google play store regarding - "Google Play warning: You are using a vulnerable version of libpng".

Email contains the below information - https://support.google.com/faqs/answer/7011127

I didn't use libpng library in my application anywhere. But, In my android application, I am using the OpenCV2.4.5 library. After searching in the internet, I came to know that the OpenCV library uses the libpng.

My question - The upgrading of OpenCV2.4.5 to OpenCV3.1.0 will resolve "vulnerable version of libpng" warning?

Glenn Randers-Pehrson
  • 10,432
  • 2
  • 31
  • 57
SKK
  • 1,680
  • 3
  • 27
  • 48

2 Answers2

5

The vulnerable version of libpng in OpenCV 2.4.x was updated in OpenCV 2.4.13.1.
It can be downloaded from here.

As @Simon says, OpenCV 3.x is not affected.

More info: #6694 OpenCV 2.x uses vulnerable version of libpng

David Miguel
  • 6,915
  • 3
  • 42
  • 48
  • Adding a little details to debug and solve the problem in this answer http://stackoverflow.com/questions/40932922/libpng-vulnerability-issue-even-after-updating-opencv-library/41033393#41033393 – Akshay Bhat 'AB' Dec 08 '16 at 06:48
3

Yes, now confirmed with Google: Updating to 3.1.0 will fix the issue - I've upgraded one of my apps to 3.1.0, and while there's a bit of a bug in Google's detection of this vulnerability, I've had confirmation from a support representative that the new version is not vulnerable to this issue.

--

Previous answer:

No - I've upgraded to 3.1.0 and still get the warning. Edit: see below for update

The OpenCV Android SDK hasn't been updated since December 2015, so hopefully a newer version this year will use a fixed version of libpng.

Edit: some odd behaviour on Google Play, and some digging into the version of libpng that that OpenCV 3.1.0 uses leads me to think that 3.1.0 is not vulnerable. I updated my app and the vulnerability warning was still there (with its warning text updated to the new APK version number). Now, however, Google Play has dismissed the alert, though it still confusingly refers to the new version as vulnerable.

Simon
  • 83
  • 6
  • 1
    They said to check in five hours after updating the apk, to see if warning was gone. Here is related part from their email: "Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly." – Tony Jun 17 '16 at 14:14
  • @Simon is the issue resolved now(as mentioned in the email - "Check back after five hours")? – SKK Jun 18 '16 at 05:17
  • I'm still not able to confirm this - as noted in my edit above, I updated the APK and the warning text was updated to say the new version of my app was still affected. However, the alert was then dismissed automatically by Google Play. I've sent a support request to clarify - I'll update here when I get a response. – Simon Jun 19 '16 at 17:33
  • 1
    I've now had confirmation from Google - my new app with version 3.1.0 is not vulnerable (see updated answer above) – Simon Jun 24 '16 at 07:42
  • Hello all, I have updated the OpenCV to 3.1 version and uploaded the latest apk on play store. But still my application is not getting upload and I am getting the same error, mentioned in the question. Please help! – Hanish Sharma Aug 01 '17 at 05:33