Bug 2116923 (CVE-2022-2738)

Summary: CVE-2022-2738 podman: Security regression of CVE-2020-8945 due to source code management issue
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbaude, dwalsh, jligon, jnovy, lsm5, mboddu, mheon, pthomas, security-response-team, tsweeney, umohnani, vrothber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-8945, which was previously fixed via RHSA-2020:2117. This issue could possibly be used to crash or cause potential code execution in Go applications that use the Go GPGME wrapper library, under certain conditions, during GPG signature verification.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-02 11:55:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2116947    
Bug Blocks: 2116894    

Description Mauro Matteo Cascella 2022-08-09 14:37:17 UTC 
The podman packages version podman-1.6.4-32.el7_9 as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 (https://access.redhat.com/errata/RHSA-2022:2190) included an incorrect version of podman that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2020-8945, that was previously corrected in the podman packages in Red Hat Enterprise Linux 7 Extras via RHSA-2020:2117 (https://access.redhat.com/errata/RHSA-2020:2117). The CVE-2022-2738 was assigned to this security regression and it is specific to the podman packages produced by Red Hat.

The original issue - CVE-2020-8945 - could possibly be used to crash or cause potential code execution in Go applications that use the Go GPGME wrapper library, under certain conditions, during GPG signature verification. For more details about the original issue, see:

https://access.redhat.com/security/cve/CVE-2020-8945
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8945
Comment 2 errata-xmlrpc 2022-08-22 09:15:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2022:6119 https://access.redhat.com/errata/RHSA-2022:6119
Comment 3 Product Security DevOps Team 2022-09-02 11:55:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2738