fenwii / openharmony Goto Github PK
View Code? Open in Web Editor NEW华为开源鸿蒙分布式操作系统(Huawei OpenHarmony)开发技术交流,最全鸿蒙技术资料库,手册,指南,共建国产操作系统万物互联新生态。
License: MIT License
openharmony's Issues
[Bug Report]: Patch for CVE-2021-3711 in reused component openssl
Contact Details
[email protected]
What happened?
我通过使用V1SCAN(一个扫描存在于复用代码中1-Day漏洞的工具),发现您的项目中Openharmonyv1.0/third_party/openssl/test文件夹下的sm2_internal_test.c文件可能存在漏洞, 具体参考链接如下:
CVE-2021-3711 in sm2_internal_test.c:
相关触发逻辑类似GHSA-5ww6-px42-wc85
NVD说明链接:
https://nvd.nist.gov/vuln/detail/CVE-2021-3711
Replace the line 188 if (!TEST_true(sm2_plaintext_size(key, digest, ctext_len, &ptext_len)) with the following line:
if (!TEST_true(sm2_plaintext_size(ctext, ctext_len, &ptext_len))
考虑到其可能存在的潜在风险,我愿意配合您以负责任的方式及时核实、解决和报告发现的漏洞。 如果您需要任何进一步的信息或帮助,请随时与我联系。如果需要,我也可以提交PR帮助您修复。 谢谢您,期待尽快收到您的回复!
[Bug Report]: Patch for CVE-2021-22901 in reused component curl
Contact Details
[email protected]
What happened?
我通过使用V1SCAN(一个扫描存在于复用代码中1-Day漏洞的工具),发现您的项目中Openharmonyv1.0/third_party/curl/lib文件夹下的multi.c文件可能存在漏洞, 具体参考链接如下:
CVE-2021-22901 in multi.c:
相关触发逻辑类似GHSA-vjwf-ghhc-2p8q
NVD说明链接:
https://nvd.nist.gov/vuln/detail/CVE-2021-22901
commit修复链接:
curl/curl@7f4a9a9
修复方法:
replace the lines at 864-865:
if(conn)
Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL);
to the following code:
if(conn) {
Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL);
Curl_ssl_detach_conn(data, conn);
}
考虑到其可能存在的潜在风险,我愿意配合您以负责任的方式及时核实、解决和报告发现的漏洞。 如果您需要任何进一步的信息或帮助,请随时与我联系。如果需要,我也可以提交PR帮助您修复。 谢谢您,期待尽快收到您的回复!
测试
cs
[Bug Report]: Patch for CVE-2018-9988 & CVE-2019-16910 in reused component mbedtls
Contact Details
[email protected]
What happened?
我通过使用V1SCAN(一个扫描存在于复用代码中1-Day漏洞的工具),发现您的项目中Harmonykernel/KAL/LiteOS/Huawei_LiteOS/components/security/mbedtls/mbedtls-2.6.0/library文件夹下的ssl_cli.c文件和ecdsa.c文件可能存在漏洞, 具体参考链接如下:
CVE-2019-16910 in ecdsa.c:
相关触发逻辑类似GHSA-jg4p-c829-4q39
NVD说明链接:
https://nvd.nist.gov/vuln/detail/CVE-2019-16910
commit修复链接:
Mbed-TLS/mbedtls@027f84c
Since this is resulted mainly by reusing a file in older version, it is recommended to updating it to the latest version.
CVE-2018-9988 in ssl_cli.c:
相关触发逻辑类似GHSA-h9j8-4v77-hmr3
NVD说明链接:
https://nvd.nist.gov/vuln/detail/CVE-2018-9988
commit修复链接:
Mbed-TLS/mbedtls@33f66ba#diff-2fdf7c956098af4050cf1b26e4b5291e6aafab8e8682aa3fcab978baffa3c86c
Replace the line 2476: if( end != p + sig_len ) with the following line:
if( p != end - sig_len )
考虑到其可能存在的潜在风险,我愿意配合您以负责任的方式及时核实、解决和报告发现的漏洞。 如果您需要任何进一步的信息或帮助,请随时与我联系。如果需要,我也可以提交PR帮助您修复。 谢谢您,期待尽快收到您的回复!
WebView自带网络审查加屏蔽,甚至还是上传云端的,也有脸在这种地方传代码吗。
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.