diff -u kernel-source-2.4.18-2.4.18/debian/changelog kernel-source-2.4.18-2.4.18/debian/changelog
--- kernel-source-2.4.18-2.4.18/debian/changelog
+++ kernel-source-2.4.18-2.4.18/debian/changelog
@@ -1,3 +1,11 @@
+kernel-source-2.4.18 (2.4.18-14.4) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied patch by Andrea Arcangeli from 2.4.24 to fix privilege
+    escalation in the mremap() syscall [mm/mremap.c, CAN-2004-nnnn]
+
+ -- Martin Schulze <joey@finlandia.infodrom.north.de>  Sat, 19 Feb 2005 08:47:29 +0100
+
 kernel-source-2.4.18 (2.4.18-14.3) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
diff -urN linux-2.4.23/mm/mremap.c linux-2.4.24/mm/mremap.c
--- linux-2.4.23/mm/mremap.c	2003-08-25 04:44:44.000000000 -0700
+++ linux-2.4.24/mm/mremap.c	2004-01-05 05:53:56.000000000 -0800
@@ -241,6 +241,13 @@
 
 		if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
 			goto out;
+		/*
+		 * Allow new_len == 0 only if new_addr == addr
+		 * to preserve truncation in place (that was working
+		 * safe and some app may depend on it).
+		 */
+		if (unlikely(!new_len && new_addr != addr))
+			goto out;
 
 		/* Check if the location we're moving into overlaps the
 		 * old location at all, and fail if it does.