CVE-2020-29363

Name of the Vulnerable Software and Affected Versions: p11-kit versions 0.23.6 through 0.23.21

Description: A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value. This issue is related to the p11 rpc buffer get byte array value function and can lead to a denial of service.

Recommendations: For p11-kit versions 0.23.6 through 0.23.21, consider updating to a version that contains a fix for this issue. As a temporary workaround, restrict access to the vulnerable p11 rpc buffer get byte array value function until a patch is available. Avoid using the CK ATTRIBUTE with serialized byte arrays in the affected RPC protocol until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.