Bug 1795838 (CVE-2020-8945) - CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
Summary: CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during conta...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8945
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1784838 1802846 1802847 1802848 1802849 1802850 1802851 1802852 1802853 1802854 1802855 1802856 1802857 1802858 1802859 1802860 1802862 1802863 1802864 1802865 1802866 1802867 1802868 1802869 1802870 1802871 1802872 1802874 1802875 1802876 1802877 1802878 1802879 1802880 1802881 1802882 1802883 1802884 1802885 1802886 1802887 1802888 1802889 1802890 1802891 1802892 1802893 1802894 1802895 1802897 1802898 1802899 1802900 1802901 1802902 1802903 1802904 1802905 1802906 1803583 1804609 1805300 1806553 1806936 1806937 1806938 1806939 1806940 1806941 1806942 1806943 1806944 1806945 1806946 1806947 1849298
Blocks: 1793545
TreeView+ depends on / blocked
 
Reported: 2020-01-29 01:21 UTC by Sam Fowler
Modified: 2023-10-09 11:27 UTC (History)
58 users (show)

Fixed In Version: proglottis/gpgme 0.1.1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
Clone Of:
Environment:
Last Closed: 2020-03-10 16:31:52 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0679 0 None None None 2020-03-10 23:32:27 UTC
Red Hat Product Errata RHSA-2020:0689 0 None None None 2020-03-10 12:22:09 UTC
Red Hat Product Errata RHSA-2020:0697 0 None None None 2020-03-12 21:17:31 UTC
Red Hat Product Errata RHSA-2020:0863 0 None None None 2020-03-24 14:15:19 UTC
Red Hat Product Errata RHSA-2020:0928 0 None None None 2020-03-24 13:35:49 UTC
Red Hat Product Errata RHSA-2020:0934 0 None None None 2020-04-01 18:50:23 UTC
Red Hat Product Errata RHSA-2020:1230 0 None None None 2020-04-01 00:25:49 UTC
Red Hat Product Errata RHSA-2020:1231 0 None None None 2020-04-01 00:25:57 UTC
Red Hat Product Errata RHSA-2020:1234 0 None None None 2020-04-01 00:26:37 UTC
Red Hat Product Errata RHSA-2020:1402 0 None None None 2020-04-14 12:46:56 UTC
Red Hat Product Errata RHSA-2020:1937 0 None None None 2020-05-04 10:17:26 UTC
Red Hat Product Errata RHSA-2020:1940 0 None None None 2020-05-04 10:51:58 UTC
Red Hat Product Errata RHSA-2020:2027 0 None None None 2020-05-13 11:14:06 UTC
Red Hat Product Errata RHSA-2020:2117 0 None None None 2020-05-12 19:50:54 UTC
Red Hat Product Errata RHSA-2020:2413 0 None None None 2020-07-13 16:45:00 UTC
Red Hat Product Errata RHSA-2020:2927 0 None None None 2020-07-21 09:55:49 UTC
Red Hat Product Errata RHSA-2020:2992 0 None None None 2020-07-27 18:49:32 UTC
Red Hat Product Errata RHSA-2020:3167 0 None None None 2020-07-28 03:45:53 UTC

Description Sam Fowler 2020-01-29 01:21:58 UTC 
The Go wrapper for the GPGME library, github.com/proglottis/gpgme (and fork github.com/mtrmac/gpgme), vendored into github.com/containers/image, is susceptible, under certain conditions, to a use-after-free when used during container image pulls by tools like docker and cri-o.


Upstream Fix:

https://github.com/proglottis/gpgme/pull/23
Comment 6 Sam Fowler 2020-02-14 03:47:43 UTC 
Created cri-o:1.11/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1802897]


Created cri-o:1.12/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1802898]


Created cri-o:1.13/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1802899]


Created cri-o:1.14/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1802900]


Created cri-o:1.16/cri-o tracking bugs for this issue:

Affects: fedora-31 [bug 1802901]


Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1802902]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1802905]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1802903]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 1802904]
Comment 7 Sam Fowler 2020-02-14 03:48:49 UTC 
Created docker tracking bugs for this issue:

Affects: openstack-rdo [bug 1802906]
Comment 8 Mark Cooper 2020-02-17 00:20:10 UTC 
Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 1803583]
Comment 28 Mark Cooper 2020-02-26 03:35:06 UTC 
The Golang gpgme library is a wrapper to the underlying gpgme C library (which subsequently calls the gpg binary). The Go wrapper is used during the interaction of container images and GPG signatures; for example when pulling an image from a registry and verifying it's signature.

The gpgme Go wrapper however does not mark the data structures or pointers to be kept alive by the Go run time. During the execution of the gpg binary, it is possible for the Golang garbage collector to free the referenced C structures whilst it is still required. 

When the gpg binary finishes executing, the gpgme C library is now using/referencing released memory - resulting in a use-after-free scenario.
Comment 30 errata-xmlrpc 2020-03-10 12:22:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:0689 https://access.redhat.com/errata/RHSA-2020:0689
Comment 31 Product Security DevOps Team 2020-03-10 16:31:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8945
Comment 32 errata-xmlrpc 2020-03-10 23:32:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:0679 https://access.redhat.com/errata/RHSA-2020:0679
Comment 33 errata-xmlrpc 2020-03-12 21:17:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2020:0697 https://access.redhat.com/errata/RHSA-2020:0697
Comment 34 errata-xmlrpc 2020-03-24 13:35:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:0928 https://access.redhat.com/errata/RHSA-2020:0928
Comment 35 errata-xmlrpc 2020-03-24 14:15:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:0863 https://access.redhat.com/errata/RHSA-2020:0863
Comment 36 errata-xmlrpc 2020-04-01 00:25:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1230 https://access.redhat.com/errata/RHSA-2020:1230
Comment 37 errata-xmlrpc 2020-04-01 00:25:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1231 https://access.redhat.com/errata/RHSA-2020:1231
Comment 38 errata-xmlrpc 2020-04-01 00:26:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1234 https://access.redhat.com/errata/RHSA-2020:1234
Comment 39 errata-xmlrpc 2020-04-01 18:50:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:0934 https://access.redhat.com/errata/RHSA-2020:0934
Comment 40 Mark Cooper 2020-04-13 23:12:21 UTC 
Statement:

OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.
Comment 41 errata-xmlrpc 2020-04-14 12:46:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:1402 https://access.redhat.com/errata/RHSA-2020:1402
Comment 44 errata-xmlrpc 2020-05-04 10:17:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:1937 https://access.redhat.com/errata/RHSA-2020:1937
Comment 45 errata-xmlrpc 2020-05-04 10:51:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:1940 https://access.redhat.com/errata/RHSA-2020:1940
Comment 46 errata-xmlrpc 2020-05-12 19:50:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:2117 https://access.redhat.com/errata/RHSA-2020:2117
Comment 47 errata-xmlrpc 2020-05-13 11:14:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2027 https://access.redhat.com/errata/RHSA-2020:2027
Comment 51 errata-xmlrpc 2020-07-13 16:44:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413
Comment 56 errata-xmlrpc 2020-07-21 09:55:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2927 https://access.redhat.com/errata/RHSA-2020:2927
Comment 57 errata-xmlrpc 2020-07-27 18:49:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992
Comment 58 errata-xmlrpc 2020-07-28 03:45:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:3167 https://access.redhat.com/errata/RHSA-2020:3167
Note You need to log in before you can comment on or make changes to this bug.