#1130253 libnss-db: Debian patch "200-set-db-environment.dpatch" creates a memory leak

Package:
libnss-db
Source:
libnss-db
Description:
NSS module for using Berkeley Databases as a naming service
Submitter:
Francois Lesueur
Date:
2026-03-10 10:25:02 UTC
Severity:
normal
Tags:
#1130253#5
Date:
2026-03-10 10:23:03 UTC
From:
To:
Dear Maintainer,

The patch "200-set-db-environment.dpatch" uses `strdup()` on line 209 (https://salsa.debian.org/debian/libnss-db/-/blob/debian/latest/debian/patches/200-set-db-environment.dpatch?ref_type=heads#L209). However, the allocated memory is only freed if there is an error (line 237 of the patch).

In the normal case, line 237 of this patch is not attained (there is a `return NSS_STATUS_SUCCESS;` before it). Hence, the `strdup()` is never freed and there is a memory leak. This leak can become quite large with long-running processes.

The proposed patch moves the `free()` right after the `dbenv->open()` call. This call copies this string itself (https://salsa.debian.org/debian/db5.3/-/blob/master/src/env/env_open.c#L465) and the parameter can thus be freed right after.

Kind regards,
François Lesueur -- alwaysdata


diff '--color=auto' -ru libnss-db-2.2.3pre1-orig/src/db-open.c libnss-db-2.2.3pre1/src/db-open.c
--- libnss-db-2.2.3pre1-orig/src/db-open.c	2026-03-10 11:02:42.217268756 +0100
+++ libnss-db-2.2.3pre1/src/db-open.c	2026-03-10 11:03:34.066449398 +0100
@@ -65,6 +65,7 @@
   filecopy = strdup(file);
   home = dirname(filecopy);
   err = dbenv->open(dbenv, home, DB_INIT_MPOOL | DB_CREATE | DB_PRIVATE, 0);
+  if (filecopy) free(filecopy);
   if (err != 0)
     goto fail_env;
   err = db_open (file, DB_BTREE, DB_RDONLY, 0, dbenv, NULL, &db);
@@ -87,7 +88,6 @@
  fail_env:
   dbenv->close (dbenv, 0);
  fail:
-  if (filecopy) free(filecopy);
   if (err > 0)
     errno = err;
   return NSS_STATUS_UNAVAIL;