Build 'libturbomodulejsijni.so' with option -fstack-protector compile flag to enable Stack Smashing Protection (SSP)

This issue has been tracked since 2022-09-23.

Description

We use React-Native for our android/iOS application. Security team on a customer's behalf identified and reported a vulnerability - libarcore_sdk_jni.so library is not compiled with Stack smashing protection (SSP) in Android.

This is categorized as "Weak Binary Protection | Lacks Stack smashing Protection (SSP) for Libraries".

https://wiki.osdev.org/Stack_Smashing_Protector#:~:text=The%20Stack%20Smashing%20Protector%20(SSP,mitigation%20against%20return%2Doriented%20programming.

Binary needs to be compiled with 'fstack-protector'. Here are couple of links which explains the required change:

Version

0.64.2

Output of npx react-native info

System:
OS: macOS 13.0
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Memory: 120.68 MB / 16.00 GB
Shell: 5.8.1 - /bin/zsh
Binaries:
Node: 14.19.3 - ~/.nvm/versions/node/v14.19.3/bin/node
Yarn: 1.22.4 - ~/.yarn/bin/yarn
npm: 6.14.17 - ~/.nvm/versions/node/v14.19.3/bin/npm
Watchman: 2022.03.21.00 - /usr/local/bin/watchman
Managers:
CocoaPods: 1.11.3 - /usr/local/bin/pod
SDKs:
iOS SDK:
Platforms: DriverKit 22.1, iOS 16.1, macOS 13.0, tvOS 16.1, watchOS 9.1
Android SDK:
API Levels: 28, 29, 30, 32
Build Tools: 27.0.3, 28.0.3, 29.0.2, 30.0.3
System Images: android-31 | Google APIs Intel x86 Atom_64, android-31 | Google Play Intel x86 Atom_64, android-Tiramisu | Google APIs Intel x86 Atom_64
Android NDK: Not Found
IDEs:
Android Studio: 2021.1 AI-211.7628.21.2111.8309675
Xcode: 14.1/14B5024i - /usr/bin/xcodebuild
Languages:
Java: 11.0.11 - /usr/bin/javac
npmPackages:
@react-native-community/cli: ^4.13.0 => 4.14.0
react: 17.0.1 => 17.0.1
react-native: 0.64.2 => 0.64.2
react-native-macos: Not Found
npmGlobalPackages:
react-native: Not Found

Steps to reproduce

NA

Snack, code example, screenshot, or link to a repository

NA

github-actions[bot] wrote this answer on 2022-09-23
⚠️ Missing Environment Information
ℹ️ Your issue may be missing information about your development environment. You can obtain the missing information by running react-native info in a console.
cortinico wrote this answer on 2022-09-24

libarcore_sdk_jni.so library is not compiled with Stack smashing protection (SSP) in Android.

libarcore_sdk_jni is not a library we own. It's most likely a library from AR Core SDK from Google so you should open this issue against their issue tracker.

jitendragupta24 wrote this answer on 2022-09-24

@cortinico There was a typo in description, though title was correct. I cannot reopen this bug, I will go ahead and create new one. Thanks.

More Details About Repo
Owner Name facebook
Repo Name react-native
Full Name facebook/react-native
Language JavaScript
Created Date 2015-01-09
Updated Date 2022-10-05
Star Count 105157
Watcher Count 3670
Fork Count 22478
Issue Count 2227

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date