CVE-2020-8945
Summary
| CVE | CVE-2020-8945 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-02-12 18:15:00 UTC |
|---|
| Updated | 2023-11-07 03:26:00 UTC |
|---|
| Description | The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
Third Party Advisory |
| Comparing v0.1.0...v0.1.1 · proglottis/gpgme · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| [SECURITY] Fedora 31 Update: skopeo-0.1.41-1.fc31 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| [SECURITY] Fedora 30 Update: podman-1.8.0-4.fc30 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| [SECURITY] Fedora 32 Update: origin-3.11.2-1.fc32 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| [SECURITY] Fedora 31 Update: skopeo-0.1.41-1.fc31 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
Mailing List, Third Party Advisory |
| [SECURITY] Fedora 30 Update: podman-1.8.0-4.fc30 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
Mailing List, Third Party Advisory |
| [SECURITY] Fedora 32 Update: origin-3.11.2-1.fc32 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
|
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
Third Party Advisory |
| [SECURITY] Fedora 30 Update: skopeo-0.1.41-1.fc30 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
Mailing List, Third Party Advisory |
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
Third Party Advisory |
| Ensure finalizers don't deallocate GPGME objects while C code is still using them by mtrmac · Pull Request #23 · proglottis/gpgme · GitHub |
MISC |
github.com |
Exploit, Patch, Third Party Advisory |
| 1795838 – (CVE-2020-8945) CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull |
MISC |
bugzilla.redhat.com |
Issue Tracking, Patch, Third Party Advisory |
| Update to github.com/mtrmac/[email protected] · containers/image@4c7a23f · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| [SECURITY] Fedora 30 Update: skopeo-0.1.41-1.fc30 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 770013 Red Hat OpenShift Container Platform 4.3.5 Security Update (RHSA-2020:0679)
- 770016 Red Hat OpenShift Container Platform 4.2.22 Security Update (RHSA-2020:0689)
- 770018 Red Hat OpenShift Container Platform 4.1.38 Security Update (RHSA-2020:0697)
- 770019 Red Hat OpenShift Container Platform 4.3.8 Security Update (RHSA-2020:0928)
- 770021 Red Hat OpenShift Container Platform 4.3.12 Security Update (RHSA-2020:1396)
- 770025 Red Hat OpenShift Container Platform 4.4.3 Security Update (RHSA-2020:1937)
- 770026 Red Hat OpenShift Container Platform 4.2.33 Security Update (RHSA-2020:2027)
- 770028 Red Hat OpenShift Container Platform 4.5 Security Update (RHSA-2020:2413)
- 770034 Red Hat OpenShift Container Platform 4.4.13 Security Update (RHSA-2020:2927)
- 982578 Go (go) Security Update for github.com/proglottis/gpgme (GHSA-m6wg-2mwg-4rfq)
