[21:49] <RonDesmond> Hello, I noticed the Ubuntu OVAL feed seems to have some discrepancies with the security page for CVE-2024-26597
[21:50] -ubottu:#ubuntu-security- In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: [21:51] <RonDesmond> The OVAL feed reports the following:
[21:51] <RonDesmond>      <definition class="vulnerability" id="oval:com.ubuntu.jammy:def:2024265970000000" version="1">       <metadata>         <title>CVE-2024-26597 on Ubuntu 22.04 LTS (jammy) - high</title>         <description>In the Linux kernel, the following vulnerability has been resolved: net:qualcomm: rmnet...</description>         <affected family="unix">           <platform>Ubuntu 22.04 LTS</
[21:51] -ubottu:#ubuntu-security- In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: [21:51] <RonDesmond> While the CVE page reports that linux-gcp-6.5 has a fixed version (https://ubuntu.com/security/CVE-2024-26597): 6.5.0-1016.16~22.04.1
[21:52] <RonDesmond> Apologies for the formatting of the OVAL XML: you can verify this by looking at the OVAL Jammy files at https://security-metadata.canonical.com/oval/