diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-01-02 15:03:27 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-01-02 15:03:27 +0100 |
commit | bded83afa70e611e883d8f8b8ed3dfcc11bcf308 (patch) | |
tree | a84f873ca169fee02c3c7f7aa13e23eb2e35fef5 | |
parent | 0691b2e9790997bf09a0eeb1150a27aeb76de908 (diff) |
Update notes for CVE-2021-45959/fmtlib
Pending REJECT from MITRE to clean up the CVE entry.
-rw-r--r-- | data/CVE/2021.list | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/data/CVE/2021.list b/data/CVE/2021.list index 70313beb77..6aa41c2a2a 100644 --- a/data/CVE/2021.list +++ b/data/CVE/2021.list @@ -54,10 +54,12 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor NOTE: https://github.com/libexpat/libexpat/issues/531 NOTE: https://github.com/libexpat/libexpat/pull/534 CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in fmt::v8 ...) - - fmtlib <unfixed> + - fmtlib <unfixed> (unimportant) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110 + NOTE: https://github.com/fmtlib/fmt/issues/2685 NOTE: Fixed by: https://github.com/fmtlib/fmt/commit/2038bf61831eb8faede0883965364a974d1350fe - TODO: check correctness, introducing commit in oss-fuzz report is related when fuzzing started + NOTE: The CVE is basically invalid, as the report was one of a series of false positives + NOTE: and the "upstream fix" is effectively a noop. CVE-2021-45958 (UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buffer ove ...) - ujson <unfixed> NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 |