Bug 1180066 - (CVE-2020-29363) VUL-0: CVE-2020-29363: p11-kit: out-of-bounds write in p11_rpc_buffer_get_byte_array_value function in rpc-message.c
(CVE-2020-29363)
VUL-0: CVE-2020-29363: p11-kit: out-of-bounds write in p11_rpc_buffer_get_byt...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Ludwig Nussel
Security Team bot
https://smash.suse.de/issue/273409/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-15 17:39 UTC by Wolfgang Frisch
Modified: 2021-08-13 12:35 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-12-15 17:39:45 UTC
CVE-2020-29363

The p11_rpc_buffer_get_byte_array_value function can write past the end of a heap buffer using memcpy due to a missing length check in p11_rpc_buffer_get_attribute. In the RPC protocol, each attribute has a length field, which is used to allocate memory, but byte array attribute values have their own separate length field, and it is this length field that is used in memcpy.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1903588
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29363
Comment 2 Wolfgang Frisch 2020-12-15 17:57:59 UTC
I assume this upstream commit corresponds to CVE-2020-29363:
https://github.com/p11-glue/p11-kit/commit/7625cfcebccf1c02d17e9295e1d883ea688ea264
Comment 3 Wolfgang Frisch 2020-12-15 18:04:45 UTC
Introduced in version 0.23.6 by this commit:

commit ba49b85ecf280e7fb6eec96c3ef33c50122e75a6 (refs/bisect/bad)
Author: Daiki Ueno <dueno@redhat.com>
Date:   Thu May 11 15:26:36 2017 +0200

    rpc: Convert attribute value for portability

SUSE:Carwos:1           Not affected
SUSE:SLE-12:Update      Not affected
SUSE:SLE-12-SP3:Update  Not affected
SUSE:SLE-15:Update      Not affected
openSUSE:Factory        Affected
Comment 4 Ludwig Nussel 2021-05-17 11:48:54 UTC
Fixed in Factory by upgrade to 0.23.22