Fedora has issued an advisory today (December 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4D5CLBYQ6GQU5KRRIBTSC4AOKNPX2JPE/ The issues are fixed upstream in 0.23.22: https://github.com/p11-glue/p11-kit/security/advisories/GHSA-q4r3-hm6m-mvc2 https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5wpq-43j2-6qwc https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5j67-fw89-fp6x Updated packages uploaded for Mageia 7 and Cauldron. Advisory: ======================== Updated p11-kit packages fix security vulnerabilities: Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc (CVE-2020-29361). A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation (CVE-2020-29362). A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value (CVE-2020-29363). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29361 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29362 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29363 https://github.com/p11-glue/p11-kit/security/advisories/GHSA-q4r3-hm6m-mvc2 https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5wpq-43j2-6qwc https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5j67-fw89-fp6x https://github.com/p11-glue/p11-kit/releases/tag/0.23.22 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4D5CLBYQ6GQU5KRRIBTSC4AOKNPX2JPE/ ======================== Updated packages in core/updates_testing: ======================== p11-kit-0.23.22-1.mga7 libp11-kit0-0.23.22-1.mga7 libp11-kit-devel-0.23.22-1.mga7 p11-kit-trust-0.23.22-1.mga7 from p11-kit-0.23.22-1.mga7.src.rpm
Thierry had some weird conflict in Cauldron with this update, and rebuilt gnutls to resolve it. Please check for that here.
Updated this with QA Repo. No installation issues. Looking at past bugs, I see that it is mentioned with Firefox quite often, so... Ran Firefox, visited several sites, no issues noted. If there is a conflict, I don't know how to look for it. Validating. Advisory in Comment 0.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Thanks for checking. I was pretty sure the conflict was bogus. And yes, Firefox is the best way to test this.
Same, p11-kit is also used by flatpak apps. No issue here with the Swedish-origin music player and others flatpak apps under M7 Plasma x86_64. Advisory pushed to SVN.
Keywords: (none) => advisoryCVE: (none) => CVE-2020-2936[1-3]CC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0041.html
Status: NEW => RESOLVEDResolution: (none) => FIXED