According to libsqlite3 API document, "To avoid memory leaks, the application should invoke sqlite3_free() on error message strings returned through the 5th parameter of sqlite3_exec() after the error message string is no longer needed."
openSUSE has issued an advisory on October 4:
Created colord tracking bugs for this issue:
Affects: fedora-35 [bug 2133669]
Affects: fedora-36 [bug 2133672]
Created golang-entgo-ent tracking bugs for this issue:
Affects: fedora-35 [bug 2133670]
Affects: fedora-36 [bug 2133673]
Created mingw-colord tracking bugs for this issue:
Affects: fedora-35 [bug 2133671]
Affects: fedora-36 [bug 2133674]
This is not a bug. Leaking a few bytes of memory for a failure case THAT CANNOT BE TRIGGED is not a security vulnerability in any way. CVE-2021-42523 should never have been issued and I believe it was only opened for someone to put on his resume. CWE-200 is an completely incorrect classification for this bug.