Bug 1795838 (CVE-2020-8945) - CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
Summary: CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during conta...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8945
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1802864 1802902 1784838 1802846 1802847 1802848 1802849 1802850 1802851 1802852 1802853 1802854 1802855 1802856 1802857 1802858 1802859 1802860 1802862 1802863 1802865 1802866 1802867 1802868 1802869 1802870 1802871 1802872 1802874 1802875 1802876 1802877 1802878 1802879 1802880 1802881 1802882 1802883 1802884 1802885 1802886 1802887 1802888 1802889 1802890 1802891 1802892 1802893 1802894 1802895 1802897 1802898 1802899 1802900 1802901 1802903 1802904 1802905 1802906 1803583 1804609 1805300 1806553 1806936 1806937 1806938 1806939 1806940 1806941 1806942 1806943 1806944 1806945 1806946 1806947 1849298
Blocks: 1793545
TreeView+ depends on / blocked
 
Reported: 2020-01-29 01:21 UTC by Sam Fowler
Modified: 2020-10-21 09:37 UTC (History)
58 users (show)

Fixed In Version: proglottis/gpgme 0.1.1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
Clone Of:
Environment:
Last Closed: 2020-03-10 16:31:52 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0679 None None None 2020-03-10 23:32:27 UTC
Red Hat Product Errata RHSA-2020:0689 None None None 2020-03-10 12:22:09 UTC
Red Hat Product Errata RHSA-2020:0697 None None None 2020-03-12 21:17:31 UTC
Red Hat Product Errata RHSA-2020:0863 None None None 2020-03-24 14:15:19 UTC
Red Hat Product Errata RHSA-2020:0928 None None None 2020-03-24 13:35:49 UTC
Red Hat Product Errata RHSA-2020:0934 None None None 2020-04-01 18:50:23 UTC
Red Hat Product Errata RHSA-2020:1230 None None None 2020-04-01 00:25:49 UTC
Red Hat Product Errata RHSA-2020:1231 None None None 2020-04-01 00:25:57 UTC
Red Hat Product Errata RHSA-2020:1234 None None None 2020-04-01 00:26:37 UTC
Red Hat Product Errata RHSA-2020:1402 None None None 2020-04-14 12:46:56 UTC
Red Hat Product Errata RHSA-2020:1937 None None None 2020-05-04 10:17:26 UTC
Red Hat Product Errata RHSA-2020:1940 None None None 2020-05-04 10:51:58 UTC
Red Hat Product Errata RHSA-2020:2027 None None None 2020-05-13 11:14:06 UTC
Red Hat Product Errata RHSA-2020:2117 None None None 2020-05-12 19:50:54 UTC
Red Hat Product Errata RHSA-2020:2413 None None None 2020-07-13 16:45:00 UTC
Red Hat Product Errata RHSA-2020:2927 None None None 2020-07-21 09:55:49 UTC
Red Hat Product Errata RHSA-2020:2992 None None None 2020-07-27 18:49:32 UTC
Red Hat Product Errata RHSA-2020:3167 None None None 2020-07-28 03:45:53 UTC

Description Sam Fowler 2020-01-29 01:21:58 UTC
The Go wrapper for the GPGME library, github.com/proglottis/gpgme (and fork github.com/mtrmac/gpgme), vendored into github.com/containers/image, is susceptible, under certain conditions, to a use-after-free when used during container image pulls by tools like docker and cri-o.


Upstream Fix:

https://github.com/proglottis/gpgme/pull/23

Comment 6 Sam Fowler 2020-02-14 03:47:43 UTC
Created cri-o:1.11/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1802897]


Created cri-o:1.12/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1802898]


Created cri-o:1.13/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1802899]


Created cri-o:1.14/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1802900]


Created cri-o:1.16/cri-o tracking bugs for this issue:

Affects: fedora-31 [bug 1802901]


Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1802902]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1802905]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1802903]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 1802904]

Comment 7 Sam Fowler 2020-02-14 03:48:49 UTC
Created docker tracking bugs for this issue:

Affects: openstack-rdo [bug 1802906]

Comment 8 Mark Cooper 2020-02-17 00:20:10 UTC
Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 1803583]

Comment 28 Mark Cooper 2020-02-26 03:35:06 UTC
The Golang gpgme library is a wrapper to the underlying gpgme C library (which subsequently calls the gpg binary). The Go wrapper is used during the interaction of container images and GPG signatures; for example when pulling an image from a registry and verifying it's signature.

The gpgme Go wrapper however does not mark the data structures or pointers to be kept alive by the Go run time. During the execution of the gpg binary, it is possible for the Golang garbage collector to free the referenced C structures whilst it is still required. 

When the gpg binary finishes executing, the gpgme C library is now using/referencing released memory - resulting in a use-after-free scenario.

Comment 30 errata-xmlrpc 2020-03-10 12:22:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:0689 https://access.redhat.com/errata/RHSA-2020:0689

Comment 31 Product Security DevOps Team 2020-03-10 16:31:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8945

Comment 32 errata-xmlrpc 2020-03-10 23:32:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:0679 https://access.redhat.com/errata/RHSA-2020:0679

Comment 33 errata-xmlrpc 2020-03-12 21:17:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2020:0697 https://access.redhat.com/errata/RHSA-2020:0697

Comment 34 errata-xmlrpc 2020-03-24 13:35:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:0928 https://access.redhat.com/errata/RHSA-2020:0928

Comment 35 errata-xmlrpc 2020-03-24 14:15:15 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:0863 https://access.redhat.com/errata/RHSA-2020:0863

Comment 36 errata-xmlrpc 2020-04-01 00:25:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1230 https://access.redhat.com/errata/RHSA-2020:1230

Comment 37 errata-xmlrpc 2020-04-01 00:25:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1231 https://access.redhat.com/errata/RHSA-2020:1231

Comment 38 errata-xmlrpc 2020-04-01 00:26:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1234 https://access.redhat.com/errata/RHSA-2020:1234

Comment 39 errata-xmlrpc 2020-04-01 18:50:19 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:0934 https://access.redhat.com/errata/RHSA-2020:0934

Comment 40 Mark Cooper 2020-04-13 23:12:21 UTC
Statement:

OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.

Comment 41 errata-xmlrpc 2020-04-14 12:46:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:1402 https://access.redhat.com/errata/RHSA-2020:1402

Comment 44 errata-xmlrpc 2020-05-04 10:17:19 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:1937 https://access.redhat.com/errata/RHSA-2020:1937

Comment 45 errata-xmlrpc 2020-05-04 10:51:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:1940 https://access.redhat.com/errata/RHSA-2020:1940

Comment 46 errata-xmlrpc 2020-05-12 19:50:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:2117 https://access.redhat.com/errata/RHSA-2020:2117

Comment 47 errata-xmlrpc 2020-05-13 11:14:01 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2027 https://access.redhat.com/errata/RHSA-2020:2027

Comment 51 errata-xmlrpc 2020-07-13 16:44:57 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413

Comment 56 errata-xmlrpc 2020-07-21 09:55:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2927 https://access.redhat.com/errata/RHSA-2020:2927

Comment 57 errata-xmlrpc 2020-07-27 18:49:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992

Comment 58 errata-xmlrpc 2020-07-28 03:45:49 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:3167 https://access.redhat.com/errata/RHSA-2020:3167


Note You need to log in before you can comment on or make changes to this bug.