Back in October 2003 Arnaldo commited some fixes prior to 2.6 for some leaking info to userspace in the usb drivers: http://linux.bkbits.net:8080/linux-2.6/cset@3f986b35LyBKc-OxB8G6k22oOjgYTQ The corresponding changes have not been commited to 2.4, or included in the previous sparse fixes. So I've assigned them CAN-2004-0685 (for 2.4 only, as they were fixed before 2.6.0). Treat as public.
Now fixed upstream, see http://linux.bkbits.net:8080/linux-2.4/cset@410582380U3H9KOx8J2YZmMT0bhXQw
Created attachment 103320 [details] updated USB driver data leak patch Pete, I'll take care of this in the next U4 build, since Mark was kind enough to post a patch to rhkernel-list (15-Jul-2004). Mark, I'm dropping 2 of the original patch hunks because they are unnecessary (in view of the strncpy() fixes made in U2), and I've tweaked the remaining 3 hunks to zero only the unassigned data fields.
The changes in comment #2 have just been committed to the RHEL3 U4 patch pool this evening (in kernel version 2.4.21-20.2.EL).
The fix for this problem has also been committed to the RHEL3 E4 patch pool this evening (in kernel version 2.4.21-20.0.1.EL).
http://rhn.redhat.com/errata/RHSA-2004-549.html