Thanks for confirming. I've switched the report to a normal public bug and marked our security advisory task as inapplicable, since this doesn't represent any exploitable vulnerability in the project. At worst, a developer could cherry-pick a malicious proposed change for the source and consume lots of CPU running static analysis checking on it until they interrupted the process.
Thanks for confirming. I've switched the report to a normal public bug and marked our security advisory task as inapplicable, since this doesn't represent any exploitable vulnerability in the project. At worst, a developer could cherry-pick a malicious proposed change for the source and consume lots of CPU running static analysis checking on it until they interrupted the process.