Hi all, I am working for Code Intelligence we did our best to find a maintainer for the oss-fuzz project. Unfortunately we've got no feedback until now, but It seems to be an unmaintained project except for some typo fixes since some years. I am not sure yet to which mailing list the bug report was send to, but I will check that information with the team.
However, I am really happy that there is some interest in fixing the RCE. I have verified the vulnerability and for me it seems to be a valid RCE. @Mark Thomas should we continue to discuss further details via secur...@apache.org? Best regards Roman