I was assigned Orange (Instance 1016) and cengizkandemir (Instance 1257). By looking at their commit history, pull requests, open issues, and the number of recent contributors, I determined whether the projects were still active.
*Inactive Project There are 36 total commits and the most recent one was last month. All commits are made by a single user, so they are probably not accepting outside contributions. There are no open issues and no pull resquests. Because of this I determined the project to be inactive.
*Inactive Project This project has 96 total commits, and the most recent commit was only a few days ago. However, before this month, there had been no activity on the project in over a year. Again there are no pull requests or open issues, and there is only a single contributor. Because of all of this, even though there was a very recent string of commits, I would still consider this project inactive.
I have determined determined that this project is not accepting contributions. There is a single forked repo, but there are no open issues or pull requests. There has not been any activity in over 1.5 months, and there is only one contributor listed in the commit history.
This project is most likely not accepting new contributions. Again there are no active issues or pull requests and only a single contributor in the commit hisotry. While there were some recently made commits, the project was left untouched for over a year before this so I cannot say with certainty whether a contribution would be accepted, but I am inclined to say "no" for the other reasons.
To find out whether the projects had the vulnerability, I searched their files for pngpread.c and pngrutil.c and compared these to the commit found here.
This is a little wierd, but it seems this project has removed libpng from the repository. The filepath that was listed here no longer exists, and I could not find either of the edited files by searching. I went through the commit history and found the most recent version that still contained the libpng. Unfortunately, this file had the vulnerability.
This project still has the vulnerability. I simply went to the lines in pngpread.c and pngrutil.c that had changes marked and compared them.
My forked repository can be found here. My latest commit adds the libpng library, while fixing the vulnerability. There shouldn't be any problems; however, a pull request may not be accepted since libpng was recently removed the original repository.
My forked repository can be found here. My two latest commits should fix the vulnerability with no errors.
Create a pull request here.
Created a pull request here.
Neither pull request was accepted.
I recieved no response from this repo.
I was asked to link him the information regarding the vulnerability, which I did. I have heard nothing since.