Main Vulnerability Database SB2003081801

SB2003081801 - Missing release of memory after effective lifetime in Linux kernel

Published: August 18, 2003

Security Bulletin ID SB2003081801

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing release of memory after effective lifetime (CVE-ID: CVE-2003-0465)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks.

Remediation

Install update from vendor's website.

References

http://marc.info/?l=linux-kernel&m=105796021120436&w=2
http://marc.info/?l=linux-kernel&m=105796415223490&w=2
http://www.redhat.com/support/errata/RHSA-2004-188.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10285