Announcement

Collapse
No announcement yet.

libpng security vulnerability

Collapse
This is a sticky topic.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

    libpng security vulnerability

    The current Unreal Engine 4 releases use libpng 1.5.2 which has a security vulnerability. Google Play store is flagging any APK with this issue: https://support.google.com/faqs/answer/7011127?hl=en.

    I have updated UE4 for Android to libpng 1.5.27 for 4.14. When this change makes it to GitHub master branch I will update this post with the commit.

    #2
    so this is not making it int 4.13.1?
    ZOMBIE TOWN AHHH (ANDROID/STEAM) | RIDE SHARE EMPIRE (ANDROID/GAME JAM) | NEVER NOT KNIGHT (ANDROID/GAME JAM) | TWITTER | MY UE4 TUTORIALS | ANSWERHUB

    Comment


      #3
      4.13.1 was already completing testing when this came up.

      If you have source from GitHub, you can use this ZIP update to get the new libpng version with prebuilt Android libraries:

      Updated (x86 and x86_64 libraries corrected):
      https://epicgames.app.box.com/s/29cq...btgqfrk5f51t4a



      This should work with 4.12.x and 4.13.x as-is; let me know if there are any problems with older releases.
      Last edited by Chris Babcock; 10-12-2016, 12:52 PM.

      Comment


        #4
        how exactly are we supposed to install this? i tried deleting the old folder and placing the new one in, i wasnt able to build the engine

        so now im trying to just copy this new content in over to the old one, but I'm not sure how to verify this other than trying to go through the whole process and see if google accepts it or not (i dont see any libpng entries in my build logs)
        ZOMBIE TOWN AHHH (ANDROID/STEAM) | RIDE SHARE EMPIRE (ANDROID/GAME JAM) | NEVER NOT KNIGHT (ANDROID/GAME JAM) | TWITTER | MY UE4 TUTORIALS | ANSWERHUB

        Comment


          #5
          You need to unzip the file over your engine source NOT delete the old libpng directory; the other platforms still use the older version with this patch.

          Recompiling UE4 (or your code project) for Android after this will link with the new version. The build.cs in the libPNG directory controls which version is used based on the target platform.

          Comment


            #6
            thanks, thats what i did, waiting for google to accept it now
            ZOMBIE TOWN AHHH (ANDROID/STEAM) | RIDE SHARE EMPIRE (ANDROID/GAME JAM) | NEVER NOT KNIGHT (ANDROID/GAME JAM) | TWITTER | MY UE4 TUTORIALS | ANSWERHUB

            Comment


              #7
              Got bitten by this one during latest update and was trying to build from libpng source myself (having found nothing on GitHub).

              Above zip link works fine on 4.11.2 - Thanks Chris!
              Dialectical a futuristic racer is out now on Google Play (currently soft launched in Australia / New Zealand only).

              Comment


                #8
                Originally posted by Chris Babcock View Post
                You need to unzip the file over your engine source NOT delete the old libpng directory; the other platforms still use the older version with this patch.

                Recompiling UE4 (or your code project) for Android after this will link with the new version. The build.cs in the libPNG directory controls which version is used based on the target platform.
                Please, help! My brain is very small( Please, take more detalis instructions.

                1. unzip file

                I trying:
                1. Copy to UE4 (4.12.5)%ROOT%/Engine\Source\ThirdParty\libPNG and run BuildForAndroid.bat
                2. recomril my project
                3. Google — swear (Libpng library. The vulnerabilities were fixed in libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher. You can find more information about how resolve the issue in this Google Help Center article.)

                1. Take UE4 (4.12.5) from GitHub
                2. copy to Engine\Source\ThirdParty\libPNG and run BuildForAndroid.bat
                3. Compil UE4 and recompil my project
                4. Google — swear (Libpng library. The vulnerabilities were fixed in libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher. You can find more information about how resolve the issue in this Google Help Center article.)

                Please, help
                Last edited by Sp0ngeA; 10-04-2016, 03:22 AM.

                Comment


                  #9
                  1. Get UE4 from GitHub
                  2. Unzip the ZIP into the directory containing Engine (it should write over old UElibPNG.Build.cs and add libPNG-1.5.27 and BuildForAndroid.bat)
                  3. Compile UE4 as normal, then your project
                  4. Package as normal for shipping and upload to Google

                  BuildForAndroid.bat uses the NDK to compile libpng libs for the 4 architectures. These are already included in the ZIP so you should skip running it.

                  Comment


                    #10
                    Is there any way around this for those of us using the launcher version?

                    Comment


                      #11
                      +1 for a launcher version fix. We have managed to keep our project on the launcher version so far. Needing to build from source will just needlessly complicate our process.

                      Comment


                        #12
                        +1 for fix in 4.13.2

                        Comment


                          #13
                          Originally posted by Chris Babcock View Post
                          1. Get UE4 from GitHub
                          2. Unzip the ZIP into the directory containing Engine (it should write over old UElibPNG.Build.cs and add libPNG-1.5.27 and BuildForAndroid.bat)
                          3. Compile UE4 as normal, then your project
                          4. Package as normal for shipping and upload to Google

                          BuildForAndroid.bat uses the NDK to compile libpng libs for the 4 architectures. These are already included in the ZIP so you should skip running it.
                          Thank you so much! It's WORK!!!

                          Comment


                            #14
                            I too am using the launcher version of 4.13.1 and would like a fix that does not involve building from source. I too got rejected on the play store for security vulnerabilities and would really like to get my updated app up there.

                            Comment


                              #15
                              Same here; using the launcher to create an APK and my app got rejected by google. My game is for a kids festival that starts soon, so I'm kind of in a pickle right now.
                              Is it possible to unzip the libpng anywhere in the folders of the launcher so it updates the libpng or am I thinking too easy (I'm a designer; not a programmer)?

                              Comment

                              Working...
                              X