Bug 1180066 - (CVE-2020-29363) VUL-0: CVE-2020-29363: p11-kit: out-of-bounds write in p11_rpc_buffer_get_byte_array_value function in rpc-message.c
VUL-0: CVE-2020-29363: p11-kit: out-of-bounds write in p11_rpc_buffer_get_byt...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Ludwig Nussel
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2020-12-15 17:39 UTC by Wolfgang Frisch
Modified: 2021-08-13 12:35 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-12-15 17:39:45 UTC

The p11_rpc_buffer_get_byte_array_value function can write past the end of a heap buffer using memcpy due to a missing length check in p11_rpc_buffer_get_attribute. In the RPC protocol, each attribute has a length field, which is used to allocate memory, but byte array attribute values have their own separate length field, and it is this length field that is used in memcpy.

Comment 2 Wolfgang Frisch 2020-12-15 17:57:59 UTC
I assume this upstream commit corresponds to CVE-2020-29363:
Comment 3 Wolfgang Frisch 2020-12-15 18:04:45 UTC
Introduced in version 0.23.6 by this commit:

commit ba49b85ecf280e7fb6eec96c3ef33c50122e75a6 (refs/bisect/bad)
Author: Daiki Ueno <dueno@redhat.com>
Date:   Thu May 11 15:26:36 2017 +0200

    rpc: Convert attribute value for portability

SUSE:Carwos:1           Not affected
SUSE:SLE-12:Update      Not affected
SUSE:SLE-12-SP3:Update  Not affected
SUSE:SLE-15:Update      Not affected
openSUSE:Factory        Affected
Comment 4 Ludwig Nussel 2021-05-17 11:48:54 UTC
Fixed in Factory by upgrade to 0.23.22