Candidate: CVE-2003-0465 References: CONFIRM:http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2 CONFIRM:http://marc.theaimsgroup.com/?l=linux-kernel&m=105796415223490&w=2 REDHAT:RHSA-2004:188 URL:http://www.redhat.com/support/errata/RHSA-2004-188.html Description: The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks. Notes: 2.4.27-8 fixes s390x, ppc64 and s390 but leaves mips & alpha unfixed. . horms> N.B. This bug appears to be minor at best horms> http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2 . dannf> Since this is minor, I'm gonna consider the existing patch "good enough" dannf> and mark the 2.4 issues as complete. jmm> Alan Cox wrote in above URL that these will be addressed during the 2.5 jmm> cycle, so I guess it's pretty safe to make all the 2.6 kernels as fixed jmm> The ramifications are minor anyway Bugs: upstream: linux-2.6: N/A 2.6.8-sarge-security: N/A 2.4.27-sarge-security: released (2.4.27-8) 2.4.19-woody-security: released (2.4.19-4.woody3) 2.4.18-woody-security: needed 2.4.17-woody-security: released (2.4.17-1woody4) 2.4.16-woody-security: released (2.4.16-1woody3) 2.4.17-woody-security-hppa: N/A 2.4.17-woody-security-ia64: N/A 2.4.18-woody-security-hppa: N/A