Hi, @SundoggyNew , @archurcode , I'd like to report a vulnerability issue in com.tencent.iot.thirdparty.android:ai-face-sdk_6.3.2.156.

Issue Description

com.tencent.iot.thirdparty.android:ai-face-sdk_6.3.2.156 directly or transitively depends on 54 C libraries (.so) cross many platforms(such as arm64-v8a, armeabi-v7a). However, I noticed that some C libraries are vulnerable, containing the following CVEs:

libYTUtils.so from C project libjpeg-turbo(version:1.5.0) exposed 1 vulnerabilities:
CVE-2018-14498
libimisensor.so from C project libpng(version:1.5.12) exposed 9 vulnerabilities:
CVE-2014-9495, CVE-2013-7354, CVE-2013-7353, CVE-2017-12652, CVE-2015-8472, CVE-2016-10087, CVE-2016-3751, CVE-2015-0973, CVE-2015-8540

Suggested Vulnerability Patch Versions

libjpeg-turbo has fixed the vulnerabilities in versions >=2.1.0
libpng has fixed the vulnerabilities in versions >=1.6.37

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Helen Parr