App Rejected from Play Store, vulnerable version of libpng

Hi,

My app is ready for beta testing, but Google Play rejected it with the following message:

Vulnerability

Libpng library

The vulnerabilities were fixed in
libpng v1.0.66, v.1.2.56, v.1.4.19,
v1.5.26 or higher. You can find more
information about how resolve the
issue in this Google Help Center article.

I guess I’m have to compile in a specific version of libpng - does anyone know if this library was updated for 4.13? How would I check such a thing? If it’s not updated, is there a way to compile in a specific version of a library?

Forgive me if these questions are a bit basic, but this is my first real project with UE4 so I’m still learning the finer points of managing C++ projects.

Thanks!

In UE4 libpng is complied as static library you can find it in Source/ThirdParty/libpng. My 4.13.0 setup from github has 1.5.2 not sure abourt latest stable update. I will move your question to bug raports, since if it’s really not updated this needs to be fixed

I checked the github source and release branch still has 1.5.2. Assuming I can figure out compiling my own static libraries with a newer version, how would I include them in my project? Can I just drop newer libraries into the engine source, edit the UElibpng.build.cs and go for it?

Hi cgardner,

The fix for this missed the cut-off for 4.13.1, unfortunately.

You can find the fix here and integrate the changes to get your project in order to be submitted without the rejection for this particular issue.

As it stands right now, the fix for this will be integrated in 4.14 without the need to manually update this.

Thank you!

Tim

Thanks Tim! I appreciate the help and response!

Hi cgardener,

I had this problem the las week. To fix it I had to update the engine to 4.13.2, however my app had a video embebed and know it doesn´t work. The sound plays but there is no image and I am still waiting for the solution…

To add to this since my original post. 4.13.2 now solves the LibPNG issue. We had not originally planned to do a 4.13.2 hotfix, but had two other pertinent issues to resolve as well that allowed us to slip this in before 4.14 without having to manually integrate the changes yourself.

Is there any way to check what version is included in the build?
We are still getting this problem even though we upgraded to 4.13.2
We tried the github version and the other fixes that are listed.

Can a plugin cause the same issue?

Best
-D

@Boldarc_Dan

You can open up your Engine\Source\ThirdParty\LibPNG folder to see what version is listed.

Should be for 4.13/4.14 two folders for libPNG-1.5.2 and libPNG-1.5.27.

It’s possible that plugin could cause it, but I’m not sure. Probably best to make a new post in Packaging and Deployment section with all relevant information and logs.

The issue was resolved. UE 4 engine version was using the right version.

The AR Toolkit plugin had a libPNG.a file that caused the problem.
Deleted the file after communication with the plugin developer and now it works fine.

Thank you for your reply