Bug 1795838 (CVE-2020-8945)
| Summary: | CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adam.kaplan, adimania, admiller, alexandre.chanu, amurdaca, aos-bugs, bbaude, bbennett, bmontgom, cmeyers, dbecker, debarshir, dornelas, dwalsh, eparis, frantisek.kluknavsky, gblomqui, gmainwar, ichavero, ikavalio, jburrell, jcajka, jjoyce, jligon, jnovy, jokerman, jschluet, kbasil, lhh, lpeer, lsm5, mabashia, maszulik, mburns, mfojtik, mheon, mitr, mkaplan, mpatel, nalin, notting, nstielau, rh.container.bot, rpetrell, rphillips, rschiron, santiago, sclewis, sfowler, shurley, slinaber, smcdonal, sponnaga, sttts, tsweeney, umohnani, vbatts, wzheng |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | proglottis/gpgme 0.1.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-10 16:31:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1784838, 1802846, 1802847, 1802848, 1802849, 1802850, 1802851, 1802852, 1802853, 1802854, 1802855, 1802856, 1802857, 1802858, 1802859, 1802860, 1802862, 1802863, 1802864, 1802865, 1802866, 1802867, 1802868, 1802869, 1802870, 1802871, 1802872, 1802874, 1802875, 1802876, 1802877, 1802878, 1802879, 1802880, 1802881, 1802882, 1802883, 1802884, 1802885, 1802886, 1802887, 1802888, 1802889, 1802890, 1802891, 1802892, 1802893, 1802894, 1802895, 1802897, 1802898, 1802899, 1802900, 1802901, 1802902, 1802903, 1802904, 1802905, 1802906, 1803583, 1804609, 1805300, 1806553, 1806936, 1806937, 1806938, 1806939, 1806940, 1806941, 1806942, 1806943, 1806944, 1806945, 1806946, 1806947, 1849298 | ||
| Bug Blocks: | 1793545 | ||
|
Description
Sam Fowler
2020-01-29 01:21:58 UTC
Created cri-o:1.11/cri-o tracking bugs for this issue: Affects: fedora-all [bug 1802897] Created cri-o:1.12/cri-o tracking bugs for this issue: Affects: fedora-all [bug 1802898] Created cri-o:1.13/cri-o tracking bugs for this issue: Affects: fedora-all [bug 1802899] Created cri-o:1.14/cri-o tracking bugs for this issue: Affects: fedora-all [bug 1802900] Created cri-o:1.16/cri-o tracking bugs for this issue: Affects: fedora-31 [bug 1802901] Created docker tracking bugs for this issue: Affects: fedora-all [bug 1802902] Created origin tracking bugs for this issue: Affects: fedora-all [bug 1802905] Created podman tracking bugs for this issue: Affects: fedora-all [bug 1802903] Created skopeo tracking bugs for this issue: Affects: fedora-all [bug 1802904] Created docker tracking bugs for this issue: Affects: openstack-rdo [bug 1802906] Created buildah tracking bugs for this issue: Affects: fedora-all [bug 1803583] The Golang gpgme library is a wrapper to the underlying gpgme C library (which subsequently calls the gpg binary). The Go wrapper is used during the interaction of container images and GPG signatures; for example when pulling an image from a registry and verifying it's signature. The gpgme Go wrapper however does not mark the data structures or pointers to be kept alive by the Go run time. During the execution of the gpg binary, it is possible for the Golang garbage collector to free the referenced C structures whilst it is still required. When the gpg binary finishes executing, the gpgme C library is now using/referencing released memory - resulting in a use-after-free scenario. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:0689 https://access.redhat.com/errata/RHSA-2020:0689 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8945 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:0679 https://access.redhat.com/errata/RHSA-2020:0679 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2020:0697 https://access.redhat.com/errata/RHSA-2020:0697 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:0928 https://access.redhat.com/errata/RHSA-2020:0928 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:0863 https://access.redhat.com/errata/RHSA-2020:0863 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1230 https://access.redhat.com/errata/RHSA-2020:1230 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1231 https://access.redhat.com/errata/RHSA-2020:1231 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1234 https://access.redhat.com/errata/RHSA-2020:1234 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:0934 https://access.redhat.com/errata/RHSA-2020:0934 Statement: OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:1402 https://access.redhat.com/errata/RHSA-2020:1402 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:1937 https://access.redhat.com/errata/RHSA-2020:1937 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:1940 https://access.redhat.com/errata/RHSA-2020:1940 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2117 https://access.redhat.com/errata/RHSA-2020:2117 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:2027 https://access.redhat.com/errata/RHSA-2020:2027 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2927 https://access.redhat.com/errata/RHSA-2020:2927 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:3167 https://access.redhat.com/errata/RHSA-2020:3167 |