oss-sec mailing list archives
Re: CVE-2023-31975: memory leak in yasm
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 21 Jun 2023 13:26:32 -0400
On Wed, Jun 21, 2023 at 1:22 PM Alan Coopersmith <alan.coopersmith () oracle com> wrote:
On 6/20/23 23:45, Jeffrey Walton wrote:On Tue, Jun 20, 2023 at 6:49 PM Alan Coopersmith <alan.coopersmith () oracle com> wrote:https://nvd.nist.gov/vuln/detail/CVE-2023-31975 is freaking out scanners since it claims this bug has a CVSS of 9.8. From what I see at https://github.com/yasm/yasm/issues/210 though, I can't see any CVSS higher than 0.0 being relevant here and think the CVE should be withdrawn. Am I missing something here? All I see is 2 objects of 16 bytes each not being freed in the fraction of a second before the command exits and automatically frees the memory - in a command the user deliberately chooses to run, which runs as themselves with no raised privileges, on an input file they provide, and which exits after processing the file and doesn't hang around keeping that memory allocated - not a bit of security risk at all there. (Yes, it's a small bug and is good to fix, but not to raise security alarms for.)Memory leaks on exit are par for the course in GNU software per https://www.gnu.org/prep/standards/standards.html#Memory-Usage . Nothing to see here, just move on.This isn't a GNU program, but that doesn't matter here. My argument is still that this CVE should be revoked, and that this class of bug shouldn't have CVEs issued.
Agreed. I'm not sure how that got a CVE given its par for the course. Jeff
Current thread:
- Re: CVE-2023-31975: memory leak in yasm, (continued)
- Re: CVE-2023-31975: memory leak in yasm Jeffrey Walton (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Dave Horsfall (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Jeffrey Walton (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Demi Marie Obenour (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Steve Grubb (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Jeffrey Walton (Jun 22)
- Re: CVE-2023-31975: memory leak in yasm Stuart Henderson (Jun 23)
- Re: CVE-2023-31975: memory leak in yasm Jakub Wilk (Jun 23)
- Re: CVE-2023-31975: memory leak in yasm Dave Horsfall (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Demi Marie Obenour (Jun 22)
- Re: CVE-2023-31975: memory leak in yasm Jeffrey Walton (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Jeffrey Walton (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Siddhesh Poyarekar (Jun 23)
- Re: CVE-2023-31975: memory leak in yasm Marcus Meissner (Jun 23)