Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 830369 (CVE-2021-45959)

Summary: dev-libs/libfmt: buffer overflow
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: candrews
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 02:08:07 UTC
CVE-2021-45959 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110):

{fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in fmt::v8::detail::dragonbox::umul192_upper64 (called from fmt::v8::detail::dragonbox::cache_accessor<double>::compute_mul and fmt::v8::detail::dragonbox::decimal_fp<double> fmt::v8::detail::dragonbox::to_de).
Comment 1 Craig Andrews gentoo-dev 2022-01-02 01:31:50 UTC
Requested upstream to make a release that addresses this issue: https://github.com/fmtlib/fmt/issues/2685
Comment 2 Craig Andrews gentoo-dev 2022-01-02 02:35:10 UTC
(In reply to Craig Andrews from comment #1)
> Requested upstream to make a release that addresses this issue:
> https://github.com/fmtlib/fmt/issues/2685

Upstream replied:
> This is one of a series of false positives around 12 July that were closed without any changes to {fmt} (after some fuzzing infra issue has been addressed. In particular 2038bf6 is effectively a noop. I recommend marking this CVE as invalid.

Shall we close this as invalid? Do we have a way to get the CVE updated?
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-02 05:30:57 UTC
(In reply to Craig Andrews from comment #2)
> (In reply to Craig Andrews from comment #1)
> > Requested upstream to make a release that addresses this issue:
> > https://github.com/fmtlib/fmt/issues/2685
> 
> Upstream replied:
> > This is one of a series of false positives around 12 July that were closed without any changes to {fmt} (after some fuzzing infra issue has been addressed. In particular 2038bf6 is effectively a noop. I recommend marking this CVE as invalid.
> 
> Shall we close this as invalid? Do we have a way to get the CVE updated?

Anyone can at https://cveform.mitre.org