CVE-2021-42523

Name	CVE-2021-42523
Description	There are two Information Disclosure vulnerabilities in colord, and they lie in colord/src/cd-device-db.c and colord/src/cd-profile-db.c separately. They exist because the 'err_msg' of 'sqlite3_exec' is not releasing after use, while libxml2 emphasizes that the caller needs to release it.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
colord (PTS)	buster	1.4.3-4	vulnerable
	bullseye	1.4.5-3	vulnerable
	bookworm, sid	1.4.6-2.2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
colord	source	(unstable)	1.4.6-1	unimportant

Notes

https://github.com/hughsie/colord/issues/110
https://github.com/hughsie/colord/commit/adf41f36cf7214d7d6fa8d528b74eba47c377405 (1.4.6)
Memory leak in a system-local daemon, negligible security impact