710736 – (CVE-2020-8945) <app-emulation/skopeo-0.1.41: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)

Bug 710736 (CVE-2020-8945) - <app-emulation/skopeo-0.1.41: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)

Summary: <app-emulation/skopeo-0.1.41: Use-after-free in GPGME bindings during contain...

Status:	RESOLVED FIXED

Alias:	CVE-2020-8945

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:
Whiteboard:	~2 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-02-25 00:17 UTC by GLSAMaker/CVETool Bot
Modified:	2020-06-20 01:24 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2020-02-25 00:17:59 UTC

CVE-2020-8945 (https://nvd.nist.gov/vuln/detail/CVE-2020-8945):
  The proglottis Go wrapper before 0.1.1 for the GPGME library has a
  use-after-free, as demonstrated by use for container image pulls by Docker
  or CRI-O. This leads to a crash or potential code execution during GPG
  signature verification.


https://github.com/proglottis/gpgme/pull/23

Comment 1 Sam James archtester

2020-03-14 23:14:39 UTC

For skopeo:

PR (backport for .40): https://github.com/containers/skopeo/pull/825
Patch: https://github.com/containers/skopeo/pull/825/commits/c48714e522ea147e49b0d0dfddf58a9b47137055

It's fixed in gpgme >= 0.1.2 so the actual fix in an upstream *release* is in 0.1.41: https://github.com/containers/skopeo/blob/7d080caaa32327ca063276f477a64af0fd4617ba/vendor/modules.txt#L225

So, if possible, please cleanup old vulnerable versions (<0.1.41).

Comment 2 Sam James archtester

2020-04-23 02:16:13 UTC

@maintainer(s), please cleanup =app-emulation/skopeo-0.1.39. Thanks!

Comment 3 Larry the Git Cow gentoo-dev

2020-05-02 14:13:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6feab05b1ea2019e3e67568e2733884fdd5454f4

commit 6feab05b1ea2019e3e67568e2733884fdd5454f4
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-05-02 14:11:38 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-05-02 14:13:29 +0000

    app-emulation/skopeo: remove 0.1.39
    
    Bug: https://bugs.gentoo.org/710736
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/skopeo/Manifest             |  1 -
 app-emulation/skopeo/skopeo-0.1.39.ebuild | 55 -------------------------------
 2 files changed, 56 deletions(-)

Comment 4 Sam James archtester

2020-05-02 15:52:57 UTC

(In reply to Sam James (sec padawan) from comment #2)
> @maintainer(s), please cleanup =app-emulation/skopeo-0.1.39. Thanks!

Sorry, could you drop =app-emulation/skopeo-0.1.40-r1 too? I missed this earlier :(

Comment 5 Larry the Git Cow gentoo-dev

2020-06-20 01:23:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfd9b501b72013a809c2e38e949cac7daa763d3a

commit bfd9b501b72013a809c2e38e949cac7daa763d3a
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 01:23:14 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 01:23:14 +0000

    app-emulation/skopeo: drop vulnerable
    
    Bug: https://bugs.gentoo.org/710736
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 app-emulation/skopeo/Manifest                |  2 -
 app-emulation/skopeo/skopeo-0.1.40-r1.ebuild | 62 ----------------------------
 2 files changed, 64 deletions(-)