[12:55] <Guest16> Hi Ubuntu Security Team, As per https://ubuntu.com/security/CVE-2023-38430 , is it correct to say that CVE-2023-38430 is applicable only when ksmbd-tools package is installed?
[12:55] -ubottu:#ubuntu-security- An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38430>
[12:58] <mdeslaur> Guest16: the kernel interface is likely still vulnerable even if you don't have the userspace tools installed
[14:43] <JanC> considering it (potentially) results in KASAN warnings (or panics, depending on config) that seems very likely
[14:45] <sdeziel> the CVE link has a note saying: > needs ksmbd-tools installed to enable the service, which is not installed by default.
[14:48] <JanC> there are no other applications that can enable it?
[14:54] <mdeslaur> I mean, an attacker could poke at the kernel interface directly without the userspace tools
[14:55] <mdeslaur> not sure how "applicable" we're looking for
[14:56] <mdeslaur> "will my kernel crash by itself" vs "can an attacker crash my kernel even without the userspace tools installed"
[17:40] <teward> security team, a question regarding the OVALs came by - https://askubuntu.com/questions/1504371/ubuntu-22-04-lts-oval-missing-version-check-for-vulnerability-in-older-kernel - not sure fi this is relevant or if Security wants to respond authoritatively
[18:28] <ebarretto> teward, thanks for the heads up. I'm already eod but I will reply to it first thing tomorrow
[23:26] <teward> ebarretto: no worries, just wanted to put it on the radar i'll respond that I pushed it to the SEcurity team for handling and they're projecting to reply in the next 24 hours
[23:30] <teward> ebarretto: i see you already put in a reply and it got a downvote so I tossed a grenade into the ring with the "This is an official response by a member of the Ubuntu Security Team, if you downvote you should explain why" xD