This information is intended for developers of apps that utilize any version of Libjepg-turbo library, that precedes 1.4.2. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.
Please migrate your app(s) to libjpeg-turbo v1.4.2 or higher as soon as possible and increment the version number of the upgraded APK. Beginning Sep 17, 2016, Google Play will block publishing of any new apps or updates that use pre-1.4.2 versions of libjpeg-turbo. Your published app version will remain unaffected, however any updates to the app will be blocked unless they address this vulnerability.
Next steps
- Download the latest version of libjpeg-turbo.
- Sign in to your Developer Console and submit the updated version of your app.
- Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly. Note that some processing delays are common even if your app has fixed the vulnerability.
Alternatively, if you're using a 3rd party library that bundles libjpeg_turbo, you’ll need to upgrade it to a version that bundles libjpeg-turbo v1.4.2 or higher.
The vulnerability is in the Huffman decoder that is part of the libjpeg-turbo decompressor. An attacker may exploit this vulnerability by creating an artificial JPEG image with Huffman blocks larger than 430 bytes. Such a file will cause an input buffer overrun and the attacker can gain access to the calling program's memory heap.
For other technical questions, you can post to Stack Overflow and use the tags “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.
While these specific issues may not affect every app that uses libjpeg-turbo, it’s best to stay up to date on all security patches. Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.