Vulnerability CVE-2024-7254 present inside androidx.compose.animation [391002348]

Assigned

Bug

Status Update

No update yet.

Description

qi...@gmail.com

created issue #1

Jan 20, 2025 01:42PM

Jetpack Compose version: 2024.12.01

Jetpack Compose component used: animation-core-android : 1.7.6, animation-android : 1.7.6

Android Studio Build: #AI-242.23339.11.2421.12700392

Kotlin version: 2.1.0

Steps to Reproduce or Code Sample to Reproduce:

We are using androidx.compose.animation:1.7.6 in our project
After completing the Sonatype Nexus IQ scan, we found vulnerability of CVE-2024-7254 It has following details:

Vulnerable Packages:

gem : google-protobuf
maven : com.google.protobuf : protobuf-java
maven : com.google.protobuf : protobuf-javalite
maven : com.google.protobuf : protobuf-kotlin
maven : com.google.protobuf : protobuf-kotlin-lite

Vulnerable Files and Functions:

com/google.protobuf/UnknownFieldSchema.class com/google.protobuf/ArrayDecoders.class com/google.protobuf/CodeInputStream$ArrayDecoders.class com/google.protobuf/CodeInputStream$IterableDirectByteBufferDecoder.class com/google.protobuf/CodeInputStream$UnsafeDirectNioDecoder.class com/google.protobuf/CodeInputStream$StreamDecoder.class

Root Cause androidx/lint/kotlinx/metadata/internal/protobuf/CodedInputStream.class( , 3.1.0)

We kindly request you please fix the above protobuf related security findings in your AndroidX library(androidx.activity and androidx.compose) and provide an ETA of completion.

Thanks

Comments

ti...@google.com <ti...@google.com> #2Jan 21, 2025 06:55PM

Can you try with the latest snapshot? Not reproducible for me on androidx-main.

Issue 391002348

Description

Issue summary

Comments

ti...@google.com <ti...@google.com> #2Jan 21, 2025 06:55PM

Add comment

Issue metadata