Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710736 (CVE-2020-8945) - <app-emulation/skopeo-0.1.41: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
Summary: <app-emulation/skopeo-0.1.41: Use-after-free in GPGME bindings during contain...
Status: RESOLVED FIXED
Alias: CVE-2020-8945
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-25 00:17 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-20 01:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:17:59 UTC 
CVE-2020-8945 (https://nvd.nist.gov/vuln/detail/CVE-2020-8945):
  The proglottis Go wrapper before 0.1.1 for the GPGME library has a
  use-after-free, as demonstrated by use for container image pulls by Docker
  or CRI-O. This leads to a crash or potential code execution during GPG
  signature verification.


https://github.com/proglottis/gpgme/pull/23
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-14 23:14:39 UTC 
For skopeo:

PR (backport for .40): https://github.com/containers/skopeo/pull/825
Patch: https://github.com/containers/skopeo/pull/825/commits/c48714e522ea147e49b0d0dfddf58a9b47137055

It's fixed in gpgme >= 0.1.2 so the actual fix in an upstream *release* is in 0.1.41: https://github.com/containers/skopeo/blob/7d080caaa32327ca063276f477a64af0fd4617ba/vendor/modules.txt#L225

So, if possible, please cleanup old vulnerable versions (<0.1.41).
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-23 02:16:13 UTC 
@maintainer(s), please cleanup =app-emulation/skopeo-0.1.39. Thanks!
Comment 3 Larry the Git Cow gentoo-dev 2020-05-02 14:13:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6feab05b1ea2019e3e67568e2733884fdd5454f4

commit 6feab05b1ea2019e3e67568e2733884fdd5454f4
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-05-02 14:11:38 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-05-02 14:13:29 +0000

    app-emulation/skopeo: remove 0.1.39
    
    Bug: https://bugs.gentoo.org/710736
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/skopeo/Manifest             |  1 -
 app-emulation/skopeo/skopeo-0.1.39.ebuild | 55 -------------------------------
 2 files changed, 56 deletions(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-02 15:52:57 UTC 
(In reply to Sam James (sec padawan) from comment #2)
> @maintainer(s), please cleanup =app-emulation/skopeo-0.1.39. Thanks!

Sorry, could you drop =app-emulation/skopeo-0.1.40-r1 too? I missed this earlier :(
Comment 5 Larry the Git Cow gentoo-dev 2020-06-20 01:23:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfd9b501b72013a809c2e38e949cac7daa763d3a

commit bfd9b501b72013a809c2e38e949cac7daa763d3a
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 01:23:14 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 01:23:14 +0000

    app-emulation/skopeo: drop vulnerable
    
    Bug: https://bugs.gentoo.org/710736
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 app-emulation/skopeo/Manifest                |  2 -
 app-emulation/skopeo/skopeo-0.1.40-r1.ebuild | 62 ----------------------------
 2 files changed, 64 deletions(-)