androidcmakegoogle-playandroid-securitylibjpeg-turbo

Your app is using a version of libjpeg-turbo containing a security vulnerability


Google play store gives me this error when I am trying to send my application for review.

enter image description here

Your app is using a version of libjpeg-turbo containing a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Consulting Google Help Center here: https://support.google.com/faqs/answer/7008337 says I should be using a libjpeg-turbo v1.4.2 or higher.

My problem is that I am already using version 2.1.4. This is a copy paste from my CMakeList.txt

include(FetchContent)

FetchContent_Declare(turbojpeggit
        GIT_REPOSITORY https://github.com/libjpeg-turbo/libjpeg-turbo
        GIT_TAG 2.1.4
        )
FetchContent_GetProperties(turbojpeggit)
if(NOT turbojpeggit_POPULATED)
    message("libjpeg-turbo not populated... downloading")
    FetchContent_Populate(turbojpeggit)
    add_subdirectory(${turbojpeggit_SOURCE_DIR} ${turbojpeggit_BINARY_DIR})
    include_directories(${turbojpeggit_SOURCE_DIR})
    include_directories(${turbojpeggit_BINARY_DIR})
    message("libjpeg-turbo downloaded")
else()
    message("libjpeg-turbo already populated")
endif()

So I guess this is a false positive but I am unable to publish my application because of this.

Please help me.


Solution

  • I tried contacting Google but got no answer yet.

    However, I managed to get the application published by linking against the static version of the libjpeg-turbo library.

    Note there is a ENABLE_SHARED option in libjpeg-turbo that should be set to OFF.

    To verify you aren't using the shared version, you can unarchive the apk and check you don't have any of these files:

    lib/arm64-v8a/libturbojpeg.so
    lib/armeabi-v7a/libturbojpeg.so
    lib/x86/libturbojpeg.so
    lib/x86_64/libturbojpeg.so