Bug 1903590 (CVE-2020-29362)

Summary: CVE-2020-29362 p11-kit: out-of-bounds read in p11_rpc_buffer_get_byte_array function in rpc-message.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: crypto-team, dueno, erik-fedora, kai-engert-fedora, mike, rh-spice-bugs, security-response-team, stefw
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: p11-kit 0.23.22 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:37:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1906815, 1907910, 1907913, 1909019, 1909022    
Bug Blocks: 1902080    

Description Guilherme de Almeida Suckevicz 2020-12-02 12:58:32 UTC 
The p11_rpc_buffer_get_byte_array function can read up to four bytes past the end of a heap allocation due to an incorrect bounds check, caused by a confusion between two similarly-named variables.
Comment 2 Guilherme de Almeida Suckevicz 2020-12-15 13:55:41 UTC 
Created mingw-p11-kit tracking bugs for this issue:

Affects: fedora-all [bug 1907910]


Created p11-kit tracking bugs for this issue:

Affects: fedora-all [bug 1907913]
Comment 3 Cedric Buissart 2020-12-18 08:16:11 UTC 
External References:

https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5wpq-43j2-6qwc
Comment 6 Todd Cullum 2021-01-06 19:50:43 UTC 
Upstream patch: https://github.com/p11-glue/p11-kit/commit/69d751ca9df9ac101adfb1e5aa7e83e3358106ba#diff-f91391f1b8084605c5e76b328deabc6dffc1c869408dd62703474e6a75636e67
Comment 8 Cedric Buissart 2021-01-11 15:21:58 UTC 
Statement:

The p11-kit library is primarily intended to be used locally, in which case the attacker needs to have sufficient permission to access the p11-kit communication. Although there may be use cases of p11-kit being used with a remote entity, all parties must be considered trusted.
As a result, Red Hat considers this vulnerability with a Medium severity.
Comment 9 errata-xmlrpc 2021-05-18 13:40:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1609 https://access.redhat.com/errata/RHSA-2021:1609
Comment 10 Product Security DevOps Team 2021-05-18 20:37:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-29362