Re: CVE-2023-31975: memory leak in yasm

["Smith, Stewart" <trawets () amazon com>]

On Jun 20, 2023, at 3:47 PM, Alan Coopersmith <alan.coopersmith () oracle com> wrote:
> https://nvd.nist.gov/vuln/detail/CVE-2023-31975 is freaking out scanners
> since it claims this bug has a CVSS of 9.8.
>
> From what I see at https://github.com/yasm/yasm/issues/210 though, I can't
> see any CVSS higher than 0.0 being relevant here and think the CVE should
> be withdrawn.  Am I missing something here?  All I see is 2 objects of
> 16 bytes each not being freed in the fraction of a second before the
> command exits and automatically frees the memory - in a command the user
> deliberately chooses to run, which runs as themselves with no raised
> privileges, on an input file they provide, and which exits after processing
> the file and doesn't hang around keeping that memory allocated - not a bit
> of security risk at all there.  (Yes, it's a small bug and is good to fix,
> but not to raise security alarms for.)
>
> --
>        -Alan Coopersmith-                 alan.coopersmith () oracle com
>         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

I don’t think you are, I can’t see anything here either.

Even if you were doing all the wrong things and running a yasm-as-a-service continually building untrusted source right 
alongside other processes as the same user, that contain all sorts of things you don’t want exposed, I still don’t see 
how this would be anything but a 0.0.