Control: severity -1 normal Hi Julius,
On Fri, Mar 21, 2025 at 10:31:11PM +0100, Julius Pfrommer wrote: > Salvatore, > > This is pretty bare-bones for a CVE. > And it would not have become one if the submitter had coordinated withe > upstream project. > It's essentially a false positive. > > The crasher happens in the fuzzing scaffolding, not in the library itself. > In this case, a "nice to have" consistency behavior had been added to the > fuzzing tests as an assert. > Fixing this made the library better. But this was no segfault that could > happen in the wild. Thanks for reporting back quickly. I will lower the severity to normal. > We are working on updating the package to the v1.4.11 upstream release. > That will fix this. Ack. Regards, Salvatore
