Re: CVE-2023-31975: memory leak in yasm

[Jeffrey Walton <noloader () gmail com>]

On Tue, Jun 20, 2023 at 6:49 PM Alan Coopersmith
<alan.coopersmith () oracle com> wrote:
> https://nvd.nist.gov/vuln/detail/CVE-2023-31975 is freaking out scanners
> since it claims this bug has a CVSS of 9.8.
>
>  From what I see at https://github.com/yasm/yasm/issues/210 though, I can't
> see any CVSS higher than 0.0 being relevant here and think the CVE should
> be withdrawn.  Am I missing something here?  All I see is 2 objects of
> 16 bytes each not being freed in the fraction of a second before the
> command exits and automatically frees the memory - in a command the user
> deliberately chooses to run, which runs as themselves with no raised
> privileges, on an input file they provide, and which exits after processing
> the file and doesn't hang around keeping that memory allocated - not a bit
> of security risk at all there.  (Yes, it's a small bug and is good to fix,
> but not to raise security alarms for.)

Memory leaks on exit are par for the course in GNU software per
https://www.gnu.org/prep/standards/standards.html#Memory-Usage .

Nothing to see here, just move on.

Jeff