CVE-2021-45959 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110): {fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in fmt::v8::detail::dragonbox::umul192_upper64 (called from fmt::v8::detail::dragonbox::cache_accessor<double>::compute_mul and fmt::v8::detail::dragonbox::decimal_fp<double> fmt::v8::detail::dragonbox::to_de).
Requested upstream to make a release that addresses this issue: https://github.com/fmtlib/fmt/issues/2685
(In reply to Craig Andrews from comment #1) > Requested upstream to make a release that addresses this issue: > https://github.com/fmtlib/fmt/issues/2685 Upstream replied: > This is one of a series of false positives around 12 July that were closed without any changes to {fmt} (after some fuzzing infra issue has been addressed. In particular 2038bf6 is effectively a noop. I recommend marking this CVE as invalid. Shall we close this as invalid? Do we have a way to get the CVE updated?
(In reply to Craig Andrews from comment #2) > (In reply to Craig Andrews from comment #1) > > Requested upstream to make a release that addresses this issue: > > https://github.com/fmtlib/fmt/issues/2685 > > Upstream replied: > > This is one of a series of false positives around 12 July that were closed without any changes to {fmt} (after some fuzzing infra issue has been addressed. In particular 2038bf6 is effectively a noop. I recommend marking this CVE as invalid. > > Shall we close this as invalid? Do we have a way to get the CVE updated? Anyone can at https://cveform.mitre.org