We have received an announcement that the app currently registered with Google Play is using version ligpng, which contains the vulnerability.
While I was looking into where it was used,
$grep-r libpng./*
and
Binary file./build/intermediates/exploded-aar/org.xwalk/xwalk_core_library_beta/13.42.319.12/jni/armeabi-v7a/libxwalkcore.so matches
It says (there were other outputs, but we have omitted them).
We are concerned that our cordova plugin crosswalk is vulnerable.
So I'd like to find out if the version I'm currently using is vulnerable, but I haven't been able to get any clear information.Do you have any clear information about the following?
·Is libpng used for cordova cross walk?
·What versions of libpng are included in cordova crosswalk 1.2.0 as being used?
·What versions of libpng are included in cordova crosswalk 1.7.0 as being used?
*If 1.2.0 is vulnerable, the first thing I think about is to update it, but I understand that the current latest version is 1.7.0, so I would like to know if it is working.
Below is the URL I checked.
https://github.com/crosswalk-project/chromium-crosswalk/tree/master/third_party/libpng
この I don't know if it contains this repository.First of all, the master version is 1.2.56, so there is no problem.I guessed that it was close to 13.42.319.12 (there is no confirmation of this either).For crosswalk-13/42.0.2311.68, 1.2.45 seems to be a problem.
npm site release notes
https://www.npmjs.com/package/cordova-plugin-crosswalk-webview#release-notes
Verify the
In [email protected],
(in 1.1.0 updates)
Based on Crosswalk v13
and
If you look at the latest crosswalk-13 branch,
https://github.com/crosswalk-project/chromium-crosswalk/blob/crosswalk-13/42.0.2311.135/third_party/libpng/README#L1
README for libpng version 1.2.45 - July 7, 2011 (shared library 12.0)
As the questioner said, it seems to be a vulnerable version.
On the other hand, if you look at [email protected] in the release notes,
Uses the latest Crosswalk 18 stable version by default
and so on. If you look at the latest crosswalk-18 branch,
https://github.com/crosswalk-project/chromium-crosswalk/blob/crosswalk-18/48.0.2564.116/third_party/libpng/README#L1
README for libpng version 1.2.52-November 20, 2014 (shared library 12.0)
and
This is the vulnerability you mentioned
https://support.google.com/faqs/answer/7011127?hl=ja
Then 1.2.52 shows a vulnerability.
The latest plug-in 2.1.0,
https://github.com/crosswalk-project/chromium-crosswalk/blob/crosswalk-21/50.0.2661.102/third_party/libpng/README#L1
Since libpng is 1.2.56, it appears to be a fixed version of the vulnerability.
© 2024 OneMinuteCode. All rights reserved.