Hi Florian, Florian Weimer <fwei...@redhat.com> writes:
>> I have just written to VulDB, the source of these entries, showing that >> they could not be reproduced. >> >> I will update here once I hear back. > > I received conformation that Red Hat has not reproduced the reported > issues, either. Glad some others experienced the same as me. Thanks! > Collin, have you heard anything from Vuldb? Yes, but I got sidetracked and completly forgot to update here. Sorry about that. They tagged the two CVEs as disuputed and mentioned that they could not be reproduced [1][2]. I assume other sites such as Red Hat's will be updated eventually to list the same [3]. VulnDB send a screenrecording from the original reporter where they ran 'bison' with all the POC files. They all Segmentation Fault, no failed assertions or anything like the original report say. Also, I realize now that obprintf.c is a glibc file. Gnulib (which is imported into Bison) only has obstack.c and obstack_printf.c. With that information, upon everything I mentioned in previous messages, I am fairly confident that these CVEs are bogus. Collin [1] https://www.cve.org/CVERecord?id=CVE-2025-8733 [2] https://www.cve.org/CVERecord?id=CVE-2025-8734 [3] https://access.redhat.com/security/cve/cve-2025-8733
