|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2020-29361: p11-kit: integer overflow when allocating memory for arrays or attributes and object identifiers | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Wolfgang Frisch <wolfgang.frisch> |
| Component: | Incidents | Assignee: | Ludwig Nussel <lnussel> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | abergmann, gianluca.gabrielli, lnussel, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/273408/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2020-29361:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Wolfgang Frisch
2020-12-15 17:39:06 UTC
I assume these two upstream commits correspond to CVE-2020-29361: https://github.com/p11-glue/p11-kit/commit/6c1c94bd2360f5778beb397ba5508d5084b7f0ee https://github.com/p11-glue/p11-kit/commit/7f032183dfd36c1f91d2400ceb5bbc90376a310c Fixed in Factory by upgrade to 0.23.22 Hi Ludwig, SUSE:SLE-15:Update/p11-kit has not been addressed yet, could you please submit the fix? Moreover, please do not close security issues from your side. Instead re-assign them back to the security team. sle15 does not include the server module. What's the attack vector? (In reply to Ludwig Nussel from comment #5) > sle15 does not include the server module. What's the attack vector? As for CVE-2020-29362 [0] I think that SUSE:SLE-12:Update/p11-kit, SUSE:SLE-12-SP3:Update/p11-kit and SUSE:SLE-15:Update/p11-kit might be affected. Accordingly to the related GHSA [1] the security bug exists for the `list` command as well for the p11-kit library. Can you confirm our package is not affected? [0] https://bugzilla.suse.com/show_bug.cgi?id=1180065 [1] https://github.com/p11-glue/p11-kit/security/advisories/GHSA-q4r3-hm6m-mvc2 openSUSE-SU-2021:4154-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1180064,1187993 CVE References: CVE-2020-29361 JIRA References: Sources used: openSUSE Leap 15.3 (src): p11-kit-0.23.2-4.13.1 SUSE-SU-2021:4154-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1180064,1187993 CVE References: CVE-2020-29361 JIRA References: Sources used: SUSE MicroOS 5.1 (src): p11-kit-0.23.2-4.13.1 SUSE MicroOS 5.0 (src): p11-kit-0.23.2-4.13.1 SUSE Manager Server 4.1 (src): p11-kit-0.23.2-4.13.1 SUSE Manager Retail Branch Server 4.1 (src): p11-kit-0.23.2-4.13.1 SUSE Manager Proxy 4.1 (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Server for SAP 15 (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Server 15-LTSS (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): p11-kit-0.23.2-4.13.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): p11-kit-0.23.2-4.13.1 SUSE Enterprise Storage 7 (src): p11-kit-0.23.2-4.13.1 SUSE Enterprise Storage 6 (src): p11-kit-0.23.2-4.13.1 SUSE CaaS Platform 4.5 (src): p11-kit-0.23.2-4.13.1 SUSE CaaS Platform 4.0 (src): p11-kit-0.23.2-4.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2021:1611-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1180064,1187993 CVE References: CVE-2020-29361 JIRA References: Sources used: openSUSE Leap 15.2 (src): p11-kit-0.23.2-lp152.7.3.1 SUSE-SU-2022:0323-1: An update that solves 6 vulnerabilities, contains one feature and has 5 fixes is now available. Category: security (critical) Bug References: 1089938,1139519,1158916,1180064,1182058,1191227,1192684,1193533,1193690,1194859,1195048 CVE References: CVE-2020-29361,CVE-2021-20316,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336 JIRA References: SLE-23330 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): apparmor-2.8.2-56.6.3, p11-kit-0.23.2-8.3.2, samba-4.15.4+git.324.8332acf1a63-3.54.1, sssd-1.16.1-7.28.9 SUSE Linux Enterprise Server 12-SP5 (src): apparmor-2.8.2-56.6.3, ca-certificates-1_201403302107-15.3.3, gnutls-3.4.17-8.4.1, libnettle-3.1-21.3.2, p11-kit-0.23.2-8.3.2, samba-4.15.4+git.324.8332acf1a63-3.54.1, sssd-1.16.1-7.28.9, yast2-samba-client-3.1.23-3.3.1 SUSE Linux Enterprise High Availability 12-SP5 (src): samba-4.15.4+git.324.8332acf1a63-3.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. was done |