According to libsqlite3 API document, "To avoid memory leaks, the application should invoke sqlite3_free() on error message strings returned through the 5th parameter of sqlite3_exec() after the error message string is no longer needed." https://github.com/hughsie/colord/issues/110 openSUSE has issued an advisory on October 4: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2GDIFQ2MG4MYMILUVYH7MTM5YKO2AMDS/
Created colord tracking bugs for this issue: Affects: fedora-35 [bug 2133669] Affects: fedora-36 [bug 2133672] Created golang-entgo-ent tracking bugs for this issue: Affects: fedora-35 [bug 2133670] Affects: fedora-36 [bug 2133673] Created mingw-colord tracking bugs for this issue: Affects: fedora-35 [bug 2133671] Affects: fedora-36 [bug 2133674]
This is not a bug. Leaking a few bytes of memory for a failure case THAT CANNOT BE TRIGGED is not a security vulnerability in any way. CVE-2021-42523 should never have been issued and I believe it was only opened for someone to put on his resume. CWE-200 is an completely incorrect classification for this bug.