> On Nov 19, 2020, at 12:34 AM, Ian Zimmerman = wrote: >=20 > On 2020-09-29 08:19, Fstark wrote: >=20 >> In `ass_outline_construct`'s call to `outline_stroke` a signed = integer >> overflow happens *(undefined behaviour)*. On my machine signed = overflow >> happens to wrap around to a negative value, thus failing the assert. >> https://github.com/libass/libass/issues/431 >>=20 >> https://github.com/libass/libass/pull/432 >=20 > I have followed the links above, and this seems to be an example of a > situation where the CVE process has failed. It is still not fixed in > Debian, possibly for that reason. I'll report a Debian bug today. I read through the issue discussion. As best as I can tell, no one filed = for a CVE, so there was no CVE. Did I misunderstand something? If my understanding is correct, that is *NOT* a failure of the CVE = process. --- David A. Wheeler