2116923 – (CVE-2022-2738) CVE-2022-2738 podman: Security regression of CVE-2020-8945 due to source code management issue

Bug 2116923 (CVE-2022-2738) - CVE-2022-2738 podman: Security regression of CVE-2020-8945 due to source code management issue

Summary: CVE-2022-2738 podman: Security regression of CVE-2020-8945 due to source code...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-2738
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2116947
Blocks:	2116894
TreeView+	depends on / blocked

Reported:	2022-08-09 14:37 UTC by Mauro Matteo Cascella
Modified:	2022-10-18 07:35 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-8945, which was previously fixed via RHSA-2020:2117. This issue could possibly be used to crash or cause potential code execution in Go applications that use the Go GPGME wrapper library, under certain conditions, during GPG signature verification.
Clone Of:
Environment:
Last Closed:	2022-09-02 11:55:50 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:6119	0	None	None	None	2022-08-22 09:15:47 UTC

Description Mauro Matteo Cascella 2022-08-09 14:37:17 UTC

The podman packages version podman-1.6.4-32.el7_9 as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 (https://access.redhat.com/errata/RHSA-2022:2190) included an incorrect version of podman that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2020-8945, that was previously corrected in the podman packages in Red Hat Enterprise Linux 7 Extras via RHSA-2020:2117 (https://access.redhat.com/errata/RHSA-2020:2117). The CVE-2022-2738 was assigned to this security regression and it is specific to the podman packages produced by Red Hat.

The original issue - CVE-2020-8945 - could possibly be used to crash or cause potential code execution in Go applications that use the Go GPGME wrapper library, under certain conditions, during GPG signature verification. For more details about the original issue, see:

https://access.redhat.com/security/cve/CVE-2020-8945
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8945

Comment 2 errata-xmlrpc 2022-08-22 09:15:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2022:6119 https://access.redhat.com/errata/RHSA-2022:6119

Comment 3 Product Security DevOps Team 2022-09-02 11:55:48 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2738

Note You need to log in before you can comment on or make changes to this bug.