Re: CVE-2023-31975: memory leak in yasm

[Jeffrey Walton <noloader () gmail com>]

On Wed, Jun 21, 2023 at 1:22 PM Alan Coopersmith
<alan.coopersmith () oracle com> wrote:
> On 6/20/23 23:45, Jeffrey Walton wrote:
> > On Tue, Jun 20, 2023 at 6:49 PM Alan Coopersmith
> > <alan.coopersmith () oracle com> wrote:
> > > https://nvd.nist.gov/vuln/detail/CVE-2023-31975 is freaking out scanners
> > > since it claims this bug has a CVSS of 9.8.
> > >
> > >   From what I see at https://github.com/yasm/yasm/issues/210 though, I can't
> > > see any CVSS higher than 0.0 being relevant here and think the CVE should
> > > be withdrawn.  Am I missing something here?  All I see is 2 objects of
> > > 16 bytes each not being freed in the fraction of a second before the
> > > command exits and automatically frees the memory - in a command the user
> > > deliberately chooses to run, which runs as themselves with no raised
> > > privileges, on an input file they provide, and which exits after processing
> > > the file and doesn't hang around keeping that memory allocated - not a bit
> > > of security risk at all there.  (Yes, it's a small bug and is good to fix,
> > > but not to raise security alarms for.)
> >
> > Memory leaks on exit are par for the course in GNU software per
> > https://www.gnu.org/prep/standards/standards.html#Memory-Usage .
> >
> > Nothing to see here, just move on.
>
> This isn't a GNU program, but that doesn't matter here.  My argument
> is still that this CVE should be revoked, and that this class of bug
> shouldn't have CVEs issued.

Agreed. I'm not sure how that got a CVE given its par for the course.

Jeff