Fedora has issued an advisory today (December 16):
The issues are fixed upstream in 0.23.22:
Updated packages uploaded for Mageia 7 and Cauldron.
Updated p11-kit packages fix security vulnerabilities:
Multiple integer overflows have been discovered in the array allocations in
the p11-kit library and the p11-kit list command, where overflow checks are
missing before calling realloc or calloc (CVE-2020-29361).
A heap-based buffer over-read has been discovered in the RPC protocol used by
thep11-kit server/remote commands and the client library. When the remote
entity supplies a byte array through a serialized PKCS#11 function call, the
receiving entity may allow the reading of up to 4 bytes of memory past the
heap allocation (CVE-2020-29362).
A heap-based buffer overflow has been discovered in the RPC protocol used by
p11-kit server/remote commands and the client library. When the remote entity
supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may
not allocate sufficient length for the buffer to store the deserialized value
Updated packages in core/updates_testing:
Thierry had some weird conflict in Cauldron with this update, and rebuilt gnutls to resolve it. Please check for that here.
Updated this with QA Repo. No installation issues.
Looking at past bugs, I see that it is mentioned with Firefox quite often, so...
Ran Firefox, visited several sites, no issues noted. If there is a conflict, I don't know how to look for it.
Validating. Advisory in Comment 0.
Thanks for checking. I was pretty sure the conflict was bogus. And yes, Firefox is the best way to test this.
Same, p11-kit is also used by flatpak apps.
No issue here with the Swedish-origin music player and others flatpak apps under M7 Plasma x86_64.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.