0

Google play store gives me this error when I am trying to send my application for review.

enter image description here

Your app is using a version of libjpeg-turbo containing a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Consulting Google Help Center here: https://support.google.com/faqs/answer/7008337 says I should be using a libjpeg-turbo v1.4.2 or higher.

My problem is that I am already using version 2.1.4. This is a copy paste from my CMakeList.txt

include(FetchContent)

FetchContent_Declare(turbojpeggit
        GIT_REPOSITORY https://github.com/libjpeg-turbo/libjpeg-turbo
        GIT_TAG 2.1.4
        )
FetchContent_GetProperties(turbojpeggit)
if(NOT turbojpeggit_POPULATED)
    message("libjpeg-turbo not populated... downloading")
    FetchContent_Populate(turbojpeggit)
    add_subdirectory(${turbojpeggit_SOURCE_DIR} ${turbojpeggit_BINARY_DIR})
    include_directories(${turbojpeggit_SOURCE_DIR})
    include_directories(${turbojpeggit_BINARY_DIR})
    message("libjpeg-turbo downloaded")
else()
    message("libjpeg-turbo already populated")
endif()

So I guess this is a false positive but I am unable to publish my application because of this.

Please help me.

Cristi
  • 1,488
  • 1
  • 14
  • 14
  • "So I guess this is a false positive but I am unable to publish my application because of this." - In that case Stack Overflow is a **wrong place** to ask such questions, as only Google stuff may help you in finding out why do you trigger a policy. [The page you refers to](https://support.google.com/faqs/answer/7008337) explicitly notes "that questions about Play policy should not be posted to Stack Overflow." and even direct you to better place: "If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center." – Tsyvarev Oct 11 '22 at 16:51
  • Well... In the link above it says "For other technical questions, you can post to Stack Overflow and use the tags “android-security”". I see this as a technical issue, that I posted exactly where Google said I should post it. How do you differentiate in this case between a technical issue and a policy issue because is obviously technical. – Cristi Oct 11 '22 at 17:42
  • When decide whether a technical problem about some product is suitable for Stack Overflow or not, try to imagine whether someone who is **not a stuff** could help you with that problem. E.g. a question "How to replace function Foo when migrate from libjpeg-turbo-1.4 to libjpeg-turbo-2.x" could be answered by anyone who is familiar with libjpeg-turbo. So such question is suitable for Stack Overflow. But your question - "Why do I hit a Google policy when uploading a project which clearly uses libjpeg-turbo-2.x" - can be answered only by a Google stuff. – Tsyvarev Oct 11 '22 at 17:58
  • Well if you did not have this issue, probably you can't answer it, but if someone else had this issue they may provide some feedback on how the solved it. And the resolution to this may help some other people facing similar issue. – Cristi Oct 11 '22 at 18:02
  • "but if someone else had this issue they may provide some feedback on how the solved it." - Is feedback "I phoned to Google support and they resolved my problem in two days" counts? You may want to read that [meta question](https://meta.stackoverflow.com/questions/255745/why-cant-i-ask-customer-service-related-questions-on-stack-overflow) about why "support questions" are not suitable for Stack Overflow. – Tsyvarev Oct 11 '22 at 18:08
  • This discussion is pointless ... you are trying to guess a future answer. There are a lot of questions like this on stackoverflow. There could very well be something I am doing wrong and not necessarily a google issue. – Cristi Oct 11 '22 at 18:35

1 Answers1

0

I tried contacting Google but got no answer yet.

However, I managed to get the application published by linking against the static version of the libjpeg-turbo library.

Note there is a ENABLE_SHARED option in libjpeg-turbo that should be set to OFF.

To verify you aren't using the shared version, you can unarchive the apk and check you don't have any of these files:

lib/arm64-v8a/libturbojpeg.so
lib/armeabi-v7a/libturbojpeg.so
lib/x86/libturbojpeg.so
lib/x86_64/libturbojpeg.so
Cristi
  • 1,488
  • 1
  • 14
  • 14