Piotr: Could you please provide a reproducer, or a string/locale couple that triggered th bug for you?
In my system, when n1 returned by strxfrm() was equal to n2, the string was terminated with \0, only that it was truncated (so a subsequent attempt to read it did not lead to an out-of-bound read). Though the manual states that the behavior is undefined. I did not try it in Debian, but I can't really imagine why would Debian's glibc behave differently from Fedora's one. Btw. I can't imagine a real-world situation where would this lead to an information disclosure. The return value of strxfrm() is never meant to be displayed to the user. -- Lubomir Kundrak (Red Hat Security Response Team) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

