Closed iRaam closed 12 months ago
Hey @iRaam,
Hi, thanks for flagging this.
While we can update to version 3.0.0, it appears that it introduces some bugs.
I'm not entirely sure about the specific vulnerability you mentioned, but it seems that we need to stick with com.facebook.fresco:nativeimagetranscoder:2.6.0
to avoid potential crashes in 3.0.0.
Here you can find more context:
https://github.com/facebook/fresco/issues/2714
Dear Developer, Your app(s) uses an old version of SoLoader that needs to be updated to the latest stable release, v0.10.4. • com.xxxx.xxxx Based on reports from internal testing and OEM partners, we identified your app(s) as affected by the following SoLoader bug (which incorrectly assumes that system libraries are present in /vendor/lib:/system/lib, directories which are not available on 64bit-only systems). You can reproduce the issue by using the Android 12 Emulator in Android Studio and installing the 64-bit part of the APK by ADB Command “adb install --abi arm64-v8a YOUR_APK_FILE.apk”. You may visit developer.android.com/google/play/requirements/64-bit#test-64-bit-hardware for more info on testing 64-bit compatibility. The latest version of SoLoader, v0.10.4, fixes the following issues which cause app crashes
Hey I have uploaded a staging version. You can give it a try.
implementation "com.giphy.sdk:ui:2.3.7-fresco3"
As it's a staging version, it requires to add:
allprojects {
repositories {
maven("https://oss.sonatype.org/content/repositories/staging")
mavenCentral()
}
}
Please let me know if that works for you.
@ALexanderLonsky Thank you for your quick response. I tried the above staging version, works fine.
@iRaam thank you for the update, but I need to reopen the issue.
Upon further testing, I discovered a crash when previewing certain GIFs:
java.lang.UnsatisfiedLinkError: dlopen failed: library “libnative-imagetranscoder.so” not found
This is the same issue I mentioned earlier: https://github.com/facebook/fresco/issues/2714#issuecomment-1518925371
The only solution I have found so far is to stick with nativeimagetranscoder:2.6.0
Here is the dependency tree in this case:
+--- com.facebook.fresco:fresco:3.0.0@aar
+--- com.facebook.fresco:animated-gif:3.0.0@aar
+--- com.facebook.fresco:animated-webp:3.0.0@aar
+--- com.facebook.fresco:animated-base:3.0.0@aar
+--- com.facebook.fresco:animated-drawable:3.0.0@aar
+--- com.facebook.fresco:imagepipeline-okhttp3:3.0.0@aar
+--- com.facebook.fresco:vito-options:3.0.0@aar
+--- com.facebook.fresco:drawee:3.0.0@aar
+--- com.facebook.fresco:nativeimagefilters:3.0.0@aar
+--- com.facebook.fresco:memory-type-native:3.0.0@aar
+--- com.facebook.fresco:memory-type-java:3.0.0@aar
+--- com.facebook.fresco:imagepipeline-native:3.0.0@aar
+--- com.facebook.fresco:memory-type-ashmem:3.0.0@aar
+--- com.facebook.fresco:imagepipeline:3.0.0@aar
+--- com.facebook.fresco:webpsupport:3.0.0@aar
+--- com.facebook.fresco:nativeimagetranscoder:2.6.0@aar
+--- com.facebook.fresco:imagepipeline-base:3.0.0@aar
+--- com.facebook.fresco:middleware:3.0.0@aar
I hope this still resolves the initial security vulnerability issue, and the nativeimagetranscoder
should not have any impact on it.
Just in case, I have prepared another staging version for you to test:
implementation "com.giphy.sdk:ui:2.3.7-fresco3-transcoder"
Please let me know if this version works for you. Once confirmed, I can proceed with an official release.
@ALexanderLonsky I used the new staging version and did some basic testing, seems fine so far. Thanks.
The official version has been released.
The current used fresco dependency have some security vulnerability. We have to update the fresco library to v3.0.0.
Can it be done ? Does it require more changes ?