SB2004122303 - Use of uninitialized resource in Linux kernel
Published: December 23, 2004
Security Bulletin ID
SB2004122303
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Use of uninitialized resource (CVE-ID: CVE-2004-0685)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to read and manipulate data.
Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage.
Remediation
Install update from vendor's website.
References
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127921
- http://secunia.com/advisories/20162
- http://secunia.com/advisories/20163
- http://secunia.com/advisories/20202
- http://secunia.com/advisories/20338
- http://www.debian.org/security/2006/dsa-1067
- http://www.debian.org/security/2006/dsa-1069
- http://www.debian.org/security/2006/dsa-1070
- http://www.debian.org/security/2006/dsa-1082
- http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml
- http://www.kb.cert.org/vuls/id/981134
- http://www.redhat.com/support/errata/RHSA-2004-504.html
- http://www.redhat.com/support/errata/RHSA-2004-505.html
- http://www.securityfocus.com/bid/10892
- http://www.securityspace.com/smysecure/catid.html?id=14580
- http://www.trustix.net/errata/2004/0041/
- https://bugzilla.fedora.us/show_bug.cgi?id=2336
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16931
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10665