Google recently identified a critical vulnerability related to Zip Path Traversal that affects applications utilizing unzipping functionalities. This vulnerability poses a significant security risk as it could potentially lead to unauthorized access to sensitive directories or files within your application's environment. Symantec VIP SDK, like many other software components, was impacted by this vulnerability.

https://support.google.com/faqs/answer/9294009 

Symantec VIP SDK 4.1.2 for Android

Zip files can contain entries with path traversal characters ("../") in their names. When developers unzip such entries without proper validation, it opens up opportunities for malicious actors to perform path traversal attacks. This could result in unauthorized writes to arbitrary directories or even overwrite crucial files within your application's private folders.

To address this vulnerability, Broadcom VIP developers implemented a thorough validation mechanism when unzipping files.

• VIP SDK 4.1.2 package is updated into the VIP manager downloads.
• Ensure that you incorporate the provided fix into your application using VIP SDK 4.1.2. This step is crucial in safeguarding your applications against potential exploitation of this vulnerability.
• Sign in to your Play Console and submit the updated version of your app. Google's review process will verify the effectiveness of the implemented fix. It's imperative to follow the provided guidelines meticulously to ensure timely approval.
• After submission, keep an eye on any notifications or warnings provided by Google Play Console. In case the fix is not implemented correctly, additional guidance will be provided to rectify the issues.

Remember, the security of applications is of paramount importance. By promptly addressing this vulnerability in your application and assisting developers in deploying the updated version, you contribute significantly to the overall safety and integrity of the mobile app ecosystem.

Release notes