Google play store gives me this error when I am trying to send my application for review.
Your app is using a version of libjpeg-turbo containing a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.
Consulting Google Help Center here: https://support.google.com/faqs/answer/7008337 says I should be using a libjpeg-turbo v1.4.2 or higher.
My problem is that I am already using version 2.1.4. This is a copy paste from my CMakeList.txt
include(FetchContent)
FetchContent_Declare(turbojpeggit
GIT_REPOSITORY https://github.com/libjpeg-turbo/libjpeg-turbo
GIT_TAG 2.1.4
)
FetchContent_GetProperties(turbojpeggit)
if(NOT turbojpeggit_POPULATED)
message("libjpeg-turbo not populated... downloading")
FetchContent_Populate(turbojpeggit)
add_subdirectory(${turbojpeggit_SOURCE_DIR} ${turbojpeggit_BINARY_DIR})
include_directories(${turbojpeggit_SOURCE_DIR})
include_directories(${turbojpeggit_BINARY_DIR})
message("libjpeg-turbo downloaded")
else()
message("libjpeg-turbo already populated")
endif()
So I guess this is a false positive but I am unable to publish my application because of this.
Please help me.
I tried contacting Google but got no answer yet.
However, I managed to get the application published by linking against the static version of the libjpeg-turbo library.
Note there is a ENABLE_SHARED option in libjpeg-turbo that should be set to OFF.
To verify you aren't using the shared version, you can unarchive the apk and check you don't have any of these files:
lib/arm64-v8a/libturbojpeg.so
lib/armeabi-v7a/libturbojpeg.so
lib/x86/libturbojpeg.so
lib/x86_64/libturbojpeg.so