SB2004112303 - Missing release of memory after effective lifetime in Linux kernel
Published: November 23, 2004 Updated: November 6, 2024
Security Bulletin ID
SB2004112303
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Missing release of memory after effective lifetime (CVE-ID: CVE-2004-0415)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a local user to gain access to sensitive information.
Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory.
Remediation
Install update from vendor's website.
References
- ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000879
- http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml
- http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:087
- http://www.redhat.com/support/errata/RHSA-2004-413.html
- http://www.redhat.com/support/errata/RHSA-2004-418.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16877
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9965