Comment 2 for bug 1673284

Since the CVE has no information in it, it is impossible for anyone to say if it is genuine or not. Though typically, when a CVE is reserved, it means the entity that reserved it is practicing responsible disclosure -- which means contacting the project maintainers for the project that has the vulnerability. Since I am the project maintainer for rapydscript and I have not been contacted about any security issues in it, I find it unlikely. Most probably, clamav is using some heuristic to detect whatever the issue is in that CVE and that heuristic is falsely matching the code in the rapydscript compiler, which, is in anycase not used during normal calibre operations as Eli points out (all rapydscript files are pre-compiled in calibre binaries).

If and when that CVE is actually disclosed feel free to update this ticket and I will take another look. But I would be very surprised if it were an actual bug in rapydscript.