compose-ui 1.3.0 imports protobuf-javalite:3.19.4 which triggers a security alert (CVE-2022-3171) [255545055]

Fixed

Bug

Status Update

No update yet.

Description

lo...@gmail.com

created issue #1

Oct 25, 2022 03:56PM

compose-ui triggers a security alert as it imports inspector.jar which contains protobuf-javalite:3.19.4. Please upgrade the version of protobuf-javalite to at least 3.19.6.

Jetpack Compose version: 1.3.0

Jetpack Compose component(s) used: compose-ui

Steps to Reproduce or Code Sample to Reproduce:

Add compose-ui to a project

Stack trace (if applicable):

ui-1.3.0.aar: inspector.jar/META-INF/maven/com.google.protobuf/protobuf-javalite/pom.xml (pkg:maven/com.google.protobuf/protobuf-javalite@3.19.4, cpe:2.3:a:google:protobuf-java:3.19.4:*:*:*:*:*:*:*, cpe:2.3:a:google:protobuf-javalite:3.19.4:*:*:*:*:*:*:*) : CVE-2022-3171

Comments

cl...@google.com <cl...@google.com> Oct 26, 2022 11:42AM

Assigned to ni...@google.com.

ni...@google.com <ni...@google.com> #2Oct 26, 2022 02:32PM

Do you have a small project that you can share that has this problem ?

It looks like it is a combination of a certain border modifier and a dialog or a popup.

Message last modified on Oct 26, 2022 02:32PM

jl...@google.com <jl...@google.com> #3Oct 26, 2022 06:30PM

I found the problem.

I still don't have a test that show the original problem.
But I can simulate the situation and see a similar failure.

ni...@google.com <ni...@google.com> #4Oct 26, 2022 07:52PM

This fix will be included in the compose 1.3.0-alpha03 release

ni...@google.com <ni...@google.com> #5Dec 15, 2022 08:57PM

Marked as fixed.

This is also fixed in compose 1.2.1

[Deleted User] <[Deleted User]> #6Dec 27, 2022 02:21PM

Thanks

Issue 255545055