The p11_rpc_buffer_get_byte_array function can read up to four bytes past the end of a heap allocation due to an incorrect bounds check, caused by a confusion between two similarly-named variables.
Created mingw-p11-kit tracking bugs for this issue: Affects: fedora-all [bug 1907910] Created p11-kit tracking bugs for this issue: Affects: fedora-all [bug 1907913]
External References: https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5wpq-43j2-6qwc
Upstream patch: https://github.com/p11-glue/p11-kit/commit/69d751ca9df9ac101adfb1e5aa7e83e3358106ba#diff-f91391f1b8084605c5e76b328deabc6dffc1c869408dd62703474e6a75636e67
Statement: The p11-kit library is primarily intended to be used locally, in which case the attacker needs to have sufficient permission to access the p11-kit communication. Although there may be use cases of p11-kit being used with a remote entity, all parties must be considered trusted. As a result, Red Hat considers this vulnerability with a Medium severity.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1609 https://access.redhat.com/errata/RHSA-2021:1609
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-29362