CVE-2021-42523

NameCVE-2021-42523
DescriptionThere are two Information Disclosure vulnerabilities in colord, and they lie in colord/src/cd-device-db.c and colord/src/cd-profile-db.c separately. They exist because the 'err_msg' of 'sqlite3_exec' is not releasing after use, while libxml2 emphasizes that the caller needs to release it.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
colord (PTS)jessie1.2.1-1vulnerable
stretch1.3.3-2vulnerable
buster1.4.3-4vulnerable
bullseye1.4.5-3vulnerable
bookworm1.4.6-2.2fixed
sid, trixie1.4.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
colordsource(unstable)1.4.6-1unimportant

Notes

https://github.com/hughsie/colord/issues/110
https://github.com/hughsie/colord/commit/adf41f36cf7214d7d6fa8d528b74eba47c377405 (1.4.6)
Memory leak in a system-local daemon, negligible security impact

Search for package or bug name: Reporting problems