damonkohler / sl4a

SL4A brings scripting languages to Android by allowing you to edit and execute scripts and interactive interpreters directly on the Android device.
Apache License 2.0
2.44k stars 800 forks source link

Need confirmation for some unpatched CVE #334

Open the-Chain-Warden-thresh opened 1 year ago

the-Chain-Warden-thresh commented 1 year ago

I'm cloning this repo to make some modifications to customize. However, I've noticed that some CVEs which were confirmed and fixed by OpenSSL or FreeBSD do not get patched in this repo. To enhance the availability of my project as far as possible, I will appreciate it if any of the CVE below do exist in this repo as well, so that I can fix these security issue myself by applying the corresponding patch. Here are the CVEs I found in this repo unpatched, but get fixed in openssl or FreeBSD:

CVE-2014-0221, with patch here for your reference.

CVE-2013-4854, with patch here for your reference.

CVE-2009-3720, which both occurs at python-build/expat/lib/xmlparse.c and python/src/Modules/expat/xmlparse.c, with patch here for your reference.