libpng security vulnerability

The current Unreal Engine 4 releases use libpng 1.5.2 which has a security vulnerability. Google Play store is flagging any APK with this issue:

I have updated UE4 for Android to libpng 1.5.27 for 4.14. When this change makes it to GitHub master branch I will update this post with the commit.

so this is not making it int 4.13.1?

4.13.1 was already completing testing when this came up.

If you have source from GitHub, you can use this ZIP update to get the new libpng version with prebuilt Android libraries:

Updated (x86 and x86_64 libraries corrected):

This should work with 4.12.x and 4.13.x as-is; let me know if there are any problems with older releases.

how exactly are we supposed to install this? i tried deleting the old folder and placing the new one in, i wasnt able to build the engine

so now im trying to just copy this new content in over to the old one, but I’m not sure how to verify this other than trying to go through the whole process and see if google accepts it or not (i dont see any libpng entries in my build logs)

You need to unzip the file over your engine source NOT delete the old libpng directory; the other platforms still use the older version with this patch.

Recompiling UE4 (or your code project) for Android after this will link with the new version. The build.cs in the libPNG directory controls which version is used based on the target platform.

thanks, thats what i did, waiting for google to accept it now

Got bitten by this one during latest update and was trying to build from libpng source myself (having found nothing on GitHub).

Above zip link works fine on 4.11.2 - Thanks Chris!

Please, help! My brain is very small( Please, take more detalis instructions.

  1. unzip file

I trying:

  1. Copy to UE4 (4.12.5)%ROOT%/Engine\Source\ThirdParty\libPNG and run BuildForAndroid.bat

  2. recomril my project

  3. Google — swear (Libpng library. The vulnerabilities were fixed in libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher. You can find more information about how resolve the issue in this Google Help Center article.)

  4. Take UE4 (4.12.5) from GitHub

  5. copy to Engine\Source\ThirdParty\libPNG and run BuildForAndroid.bat

  6. Compil UE4 and recompil my project

  7. Google — swear (Libpng library. The vulnerabilities were fixed in libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher. You can find more information about how resolve the issue in this Google Help Center article.)

Please, help

  1. Get UE4 from GitHub
  2. Unzip the ZIP into the directory containing Engine (it should write over old UElibPNG.Build.cs and add libPNG-1.5.27 and BuildForAndroid.bat)
  3. Compile UE4 as normal, then your project
  4. Package as normal for shipping and upload to Google

BuildForAndroid.bat uses the NDK to compile libpng libs for the 4 architectures. These are already included in the ZIP so you should skip running it.

Is there any way around this for those of us using the launcher version?

+1 for a launcher version fix. We have managed to keep our project on the launcher version so far. Needing to build from source will just needlessly complicate our process.

+1 for fix in 4.13.2

Thank you so much! It’s WORK!!!

I too am using the launcher version of 4.13.1 and would like a fix that does not involve building from source. I too got rejected on the play store for security vulnerabilities :frowning: and would really like to get my updated app up there.

Same here; using the launcher to create an APK and my app got rejected by google. My game is for a kids festival that starts soon, so I’m kind of in a pickle right now.
Is it possible to unzip the libpng anywhere in the folders of the launcher so it updates the libpng or am I thinking too easy (I’m a designer; not a programmer)?

Hi There!
Big on going problem this is. I myself have Blueprint Project and experience the same problems. As far as i now when you don’t work with C++ you don’t have to recompile or am i wrong? if zo how do you recompile a BP type project?
Android keeps on rejecting my project so please let me know what i do wrong because i have replaced the files as described above.
thx for any replays!

To get this to work you need to get the ue4 source from github. If you’ve not done this before you’ll need to link github account to your epic account.

On the unrealengine github page click “clone or download” and choose download ZIP. Once downloaded and unzipped you need to download and unzip into the same directory to overwrite problem files.

Compile UE4 using instruction on the github page I linked above. I’d never done this myself until a few days ago but it was a fairly painless process.

There are a few linking errors when building x86 and x86_64 APKs. To fix it, the file in the zip needs to be modified like this:

Find this line:

LOCAL_CFLAGS := -O2 -Os -DNDEBUG -fomit-frame-pointer -g0

And add this right bellow it:

ifeq ($(TARGET_ARCH_ABI),x86)
	LOCAL_CFLAGS += -fno-stack-protector
ifeq ($(TARGET_ARCH_ABI),x86_64)
	LOCAL_CFLAGS += -fno-stack-protector

Then run “BuildForAndroid.bat” to re-compile the libPNG Android libraries.

The problem is caused UE4 uses the “stack-protector” compiler flag on arm7 and arm64 builds but not on x86/x86_64 ones, while libPNG was compiled with that flag for all architectures, causing linker conflicts.

Thank you for the report. I’ve made the changes and rebuilt the libraries. The link above has been updated. You only need the new one if you want to target x86 or x86_64 architectures.

+1 for fix in 4.13.2