The Go wrapper for the GPGME library, github.com/proglottis/gpgme (and fork github.com/mtrmac/gpgme), vendored into github.com/containers/image, is susceptible, under certain conditions, to a use-after-free when used during container image pulls by tools like docker and cri-o. Upstream Fix: https://github.com/proglottis/gpgme/pull/23
Created cri-o:1.11/cri-o tracking bugs for this issue: Affects: fedora-all [bug 1802897] Created cri-o:1.12/cri-o tracking bugs for this issue: Affects: fedora-all [bug 1802898] Created cri-o:1.13/cri-o tracking bugs for this issue: Affects: fedora-all [bug 1802899] Created cri-o:1.14/cri-o tracking bugs for this issue: Affects: fedora-all [bug 1802900] Created cri-o:1.16/cri-o tracking bugs for this issue: Affects: fedora-31 [bug 1802901] Created docker tracking bugs for this issue: Affects: fedora-all [bug 1802902] Created origin tracking bugs for this issue: Affects: fedora-all [bug 1802905] Created podman tracking bugs for this issue: Affects: fedora-all [bug 1802903] Created skopeo tracking bugs for this issue: Affects: fedora-all [bug 1802904]
Created docker tracking bugs for this issue: Affects: openstack-rdo [bug 1802906]
Created buildah tracking bugs for this issue: Affects: fedora-all [bug 1803583]
The Golang gpgme library is a wrapper to the underlying gpgme C library (which subsequently calls the gpg binary). The Go wrapper is used during the interaction of container images and GPG signatures; for example when pulling an image from a registry and verifying it's signature. The gpgme Go wrapper however does not mark the data structures or pointers to be kept alive by the Go run time. During the execution of the gpg binary, it is possible for the Golang garbage collector to free the referenced C structures whilst it is still required. When the gpg binary finishes executing, the gpgme C library is now using/referencing released memory - resulting in a use-after-free scenario.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:0689 https://access.redhat.com/errata/RHSA-2020:0689
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8945
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:0679 https://access.redhat.com/errata/RHSA-2020:0679
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2020:0697 https://access.redhat.com/errata/RHSA-2020:0697
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:0928 https://access.redhat.com/errata/RHSA-2020:0928
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:0863 https://access.redhat.com/errata/RHSA-2020:0863
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1230 https://access.redhat.com/errata/RHSA-2020:1230
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1231 https://access.redhat.com/errata/RHSA-2020:1231
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1234 https://access.redhat.com/errata/RHSA-2020:1234
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:0934 https://access.redhat.com/errata/RHSA-2020:0934
Statement: OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:1402 https://access.redhat.com/errata/RHSA-2020:1402
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:1937 https://access.redhat.com/errata/RHSA-2020:1937
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:1940 https://access.redhat.com/errata/RHSA-2020:1940
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2117 https://access.redhat.com/errata/RHSA-2020:2117
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:2027 https://access.redhat.com/errata/RHSA-2020:2027
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2927 https://access.redhat.com/errata/RHSA-2020:2927
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:3167 https://access.redhat.com/errata/RHSA-2020:3167