Bug 2133668 (CVE-2021-42523) - CVE-2021-42523 colord: potential memory leak, forgetting to free error message of libsqlite3 API 'sqlite3_exec' -1
Summary: CVE-2021-42523 colord: potential memory leak, forgetting to free error messag...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-42523
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2133673 2133669 2133670 2133671 2133672 2133674
Blocks: 2132787
TreeView+ depends on / blocked
 
Reported: 2022-10-11 06:47 UTC by Sandipan Roy
Modified: 2022-10-13 08:49 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-10-12 14:33:09 UTC


Attachments (Terms of Use)

Description Sandipan Roy 2022-10-11 06:47:14 UTC
According to libsqlite3 API document, "To avoid memory leaks, the application should invoke sqlite3_free() on error message strings returned through the 5th parameter of sqlite3_exec() after the error message string is no longer needed."

https://github.com/hughsie/colord/issues/110

openSUSE has issued an advisory on October 4:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2GDIFQ2MG4MYMILUVYH7MTM5YKO2AMDS/

Comment 1 Sandipan Roy 2022-10-11 06:50:19 UTC
Created colord tracking bugs for this issue:

Affects: fedora-35 [bug 2133669]
Affects: fedora-36 [bug 2133672]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-35 [bug 2133670]
Affects: fedora-36 [bug 2133673]


Created mingw-colord tracking bugs for this issue:

Affects: fedora-35 [bug 2133671]
Affects: fedora-36 [bug 2133674]

Comment 3 Richard Hughes 2022-10-12 14:33:09 UTC
This is not a bug. Leaking a few bytes of memory for a failure case THAT CANNOT BE TRIGGED is not a security vulnerability in any way. CVE-2021-42523 should never have been issued and I believe it was only opened for someone to put on his resume. CWE-200 is an completely incorrect classification for this bug.


Note You need to log in before you can comment on or make changes to this bug.