{"schema_version":"1.7.2","id":"OESA-2021-1024","modified":"2021-02-05T11:02:35Z","published":"2021-02-05T11:02:35Z","upstream":["CVE-2020-29361","CVE-2020-29362","CVE-2020-29363"],"summary":"p11-kit security update","details":"Provides a way to load and enumerate PKCS#11 modules. Provides a standard configuration setup for installing PKCS#11 modules in such a way that they're discoverable. Also solves problems with coordinating the use of PKCS#11 by different components or libraries living in the same process.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nAn issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.(CVE-2020-29361)\\r\\n\\r\\n\nAn issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.(CVE-2020-29362)\\r\\n\\r\\n\nAn issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.(CVE-2020-29363)\\r\\n\\r\\n","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS","name":"p11-kit","purl":"pkg:rpm/openEuler/p11-kit\u0026distro=openEuler-20.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.23.20-2.oe1"}]}],"ecosystem_specific":{"aarch64":["p11-kit-0.23.20-2.oe1.aarch64.rpm","p11-kit-debuginfo-0.23.20-2.oe1.aarch64.rpm","p11-kit-debugsource-0.23.20-2.oe1.aarch64.rpm","p11-kit-devel-0.23.20-2.oe1.aarch64.rpm","p11-kit-help-0.23.20-2.oe1.aarch64.rpm","p11-kit-trust-0.23.20-2.oe1.aarch64.rpm","p11-kit-0.23.20-2.oe1.aarch64.rpm","p11-kit-debuginfo-0.23.20-2.oe1.aarch64.rpm","p11-kit-debugsource-0.23.20-2.oe1.aarch64.rpm","p11-kit-devel-0.23.20-2.oe1.aarch64.rpm","p11-kit-help-0.23.20-2.oe1.aarch64.rpm","p11-kit-trust-0.23.20-2.oe1.aarch64.rpm"],"src":["p11-kit-0.23.20-2.oe1.src.rpm","p11-kit-0.23.20-2.oe1.src.rpm"],"x86_64":["p11-kit-0.23.20-2.oe1.x86_64.rpm","p11-kit-debuginfo-0.23.20-2.oe1.x86_64.rpm","p11-kit-debugsource-0.23.20-2.oe1.x86_64.rpm","p11-kit-devel-0.23.20-2.oe1.x86_64.rpm","p11-kit-help-0.23.20-2.oe1.x86_64.rpm","p11-kit-trust-0.23.20-2.oe1.x86_64.rpm","p11-kit-0.23.20-2.oe1.x86_64.rpm","p11-kit-debuginfo-0.23.20-2.oe1.x86_64.rpm","p11-kit-debugsource-0.23.20-2.oe1.x86_64.rpm","p11-kit-devel-0.23.20-2.oe1.x86_64.rpm","p11-kit-help-0.23.20-2.oe1.x86_64.rpm","p11-kit-trust-0.23.20-2.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"p11-kit","purl":"pkg:rpm/openEuler/p11-kit\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.23.20-2.oe1"}]}],"ecosystem_specific":{"aarch64":["p11-kit-0.23.20-2.oe1.aarch64.rpm","p11-kit-debuginfo-0.23.20-2.oe1.aarch64.rpm","p11-kit-debugsource-0.23.20-2.oe1.aarch64.rpm","p11-kit-devel-0.23.20-2.oe1.aarch64.rpm","p11-kit-help-0.23.20-2.oe1.aarch64.rpm","p11-kit-trust-0.23.20-2.oe1.aarch64.rpm"],"src":["p11-kit-0.23.20-2.oe1.src.rpm"],"x86_64":["p11-kit-0.23.20-2.oe1.x86_64.rpm","p11-kit-debuginfo-0.23.20-2.oe1.x86_64.rpm","p11-kit-debugsource-0.23.20-2.oe1.x86_64.rpm","p11-kit-devel-0.23.20-2.oe1.x86_64.rpm","p11-kit-help-0.23.20-2.oe1.x86_64.rpm","p11-kit-trust-0.23.20-2.oe1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1024"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-29361"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-29362"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-29363"}],"database_specific":{"severity":"High"}}