How to update Third-Party libraries (lib Vorbis - due to vulnerability)

envfx · August 11, 2024, 9:37am

Hi Community,

I have a VR app on the Meta Quest store created with UE 4.27 (which I need to stay with).
While uploading a new ASTC build I got a warning that the build is using a version of libVorbis that contains a vulnerability (CVE-2020-20412 : lib/codebook.c in libvorbis before 1.3.6, as used in StepMania 5.0.12 and other products, has insufficient array bounds)).

I’m prompted to fix it by updating libVorbis to version 1.3.7 or higher.

I’ve found the folder that contains the library: \UE_4.27\Engine\Source\ThirdParty\Vorbis\libvorbis-1.3.2

However when I download the latest version of libVorbis as .zip, it has a completely different file- and folder structure. I assume that I have to somehow build/compile this for UE 4.27 (?) which I don’t have any experience with.

Does anyone have a hint or is there a beginner/non-programmer-friendly documentation how to update the library?

Thank you,
Marc

irajsb · August 11, 2024, 10:14am

This issue in link was published in 2020-12-26 04:15:12 but unreal 5.4 still uses vorbis 1.3.2 so I wouldn’t worry about it.
Unreal may also be using a custom version of that library.
Also did you read description of that vulnerability? I wonder why is a bug from a dancing game marked as a vulnerability ( maybe some kind of joke idk)?

envfx · August 11, 2024, 12:05pm

Thanks for your reply!

I’m also not sure why it comes up now and never before. Attached is a screenshot of the warning described with “This security vulnerability is important, consider fixing it.”

If it doesn’t make much sense to look into that, I’ll ignore it for now and hope it still gets published as usual.

Thanks,
Marc

iBrews · November 22, 2024, 10:06pm

any updates on this? we’re running into the same problem.