Bug 27853

Summary: p11-kit new security issues CVE-2020-2936[1-3]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: p11-kit-0.23.21-1.mga7.src.rpm CVE: CVE-2020-2936[1-3]
Status comment:

Description David Walser 2020-12-16 16:12:53 CET 
Fedora has issued an advisory today (December 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4D5CLBYQ6GQU5KRRIBTSC4AOKNPX2JPE/

The issues are fixed upstream in 0.23.22:
https://github.com/p11-glue/p11-kit/security/advisories/GHSA-q4r3-hm6m-mvc2
https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5wpq-43j2-6qwc
https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5j67-fw89-fp6x

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated p11-kit packages fix security vulnerabilities:

Multiple integer overflows have been discovered in the array allocations in
the p11-kit library and the p11-kit list command, where overflow checks are
missing before calling realloc or calloc (CVE-2020-29361).

A heap-based buffer over-read has been discovered in the RPC protocol used by
thep11-kit server/remote commands and the client library. When the remote
entity supplies a byte array through a serialized PKCS#11 function call, the
receiving entity may allow the reading of up to 4 bytes of memory past the
heap allocation (CVE-2020-29362).

A heap-based buffer overflow has been discovered in the RPC protocol used by
p11-kit server/remote commands and the client library. When the remote entity
supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may
not allocate sufficient length for the buffer to store the deserialized value
(CVE-2020-29363).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29362
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29363
https://github.com/p11-glue/p11-kit/security/advisories/GHSA-q4r3-hm6m-mvc2
https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5wpq-43j2-6qwc
https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5j67-fw89-fp6x
https://github.com/p11-glue/p11-kit/releases/tag/0.23.22
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4D5CLBYQ6GQU5KRRIBTSC4AOKNPX2JPE/
========================

Updated packages in core/updates_testing:
========================
p11-kit-0.23.22-1.mga7
libp11-kit0-0.23.22-1.mga7
libp11-kit-devel-0.23.22-1.mga7
p11-kit-trust-0.23.22-1.mga7

from p11-kit-0.23.22-1.mga7.src.rpm
Comment 1 David Walser 2020-12-16 21:16:52 CET 
Thierry had some weird conflict in Cauldron with this update, and rebuilt gnutls to resolve it.  Please check for that here.
Comment 2 Thomas Andrews 2021-01-15 02:14:21 CET 
Updated this with QA Repo. No installation issues.

Looking at past bugs, I see that it is mentioned with Firefox quite often, so...

Ran Firefox, visited several sites, no issues noted. If there is a conflict, I don't know how to look for it.

Validating. Advisory in Comment 0.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 3 David Walser 2021-01-15 02:15:36 CET 
Thanks for checking.  I was pretty sure the conflict was bogus.  And yes, Firefox is the best way to test this.
Comment 4 Aurelien Oudelet 2021-01-17 15:14:35 CET 
Same, p11-kit is also used by flatpak apps.
No issue here with the Swedish-origin music player and others flatpak apps under M7 Plasma x86_64.

Advisory pushed to SVN.

Keywords: (none) => advisory
CVE: (none) => CVE-2020-2936[1-3]
CC: (none) => ouaurelien

Comment 5 Mageia Robot 2021-01-17 17:08:40 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0041.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED