SB2003081801 - Missing release of memory after effective lifetime in Linux kernel

Description

This security bulletin contains information about 1 vulnerability.

1) Missing release of memory after effective lifetime (CVE-ID: CVE-2003-0465)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks.

Remediation

Install update from vendor's website.

References

• http://marc.info/?l=linux-kernel&m=105796021120436&w=2
• http://marc.info/?l=linux-kernel&m=105796415223490&w=2
• http://www.redhat.com/support/errata/RHSA-2004-188.html
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10285