Summary: | <app-emulation/skopeo-0.1.41: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | williamh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~2 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2020-02-25 00:17:59 UTC
For skopeo: PR (backport for .40): https://github.com/containers/skopeo/pull/825 Patch: https://github.com/containers/skopeo/pull/825/commits/c48714e522ea147e49b0d0dfddf58a9b47137055 It's fixed in gpgme >= 0.1.2 so the actual fix in an upstream *release* is in 0.1.41: https://github.com/containers/skopeo/blob/7d080caaa32327ca063276f477a64af0fd4617ba/vendor/modules.txt#L225 So, if possible, please cleanup old vulnerable versions (<0.1.41). @maintainer(s), please cleanup =app-emulation/skopeo-0.1.39. Thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6feab05b1ea2019e3e67568e2733884fdd5454f4 commit 6feab05b1ea2019e3e67568e2733884fdd5454f4 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-05-02 14:11:38 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-05-02 14:13:29 +0000 app-emulation/skopeo: remove 0.1.39 Bug: https://bugs.gentoo.org/710736 Signed-off-by: William Hubbs <williamh@gentoo.org> app-emulation/skopeo/Manifest | 1 - app-emulation/skopeo/skopeo-0.1.39.ebuild | 55 ------------------------------- 2 files changed, 56 deletions(-) (In reply to Sam James (sec padawan) from comment #2) > @maintainer(s), please cleanup =app-emulation/skopeo-0.1.39. Thanks! Sorry, could you drop =app-emulation/skopeo-0.1.40-r1 too? I missed this earlier :( The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfd9b501b72013a809c2e38e949cac7daa763d3a commit bfd9b501b72013a809c2e38e949cac7daa763d3a Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 01:23:14 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 01:23:14 +0000 app-emulation/skopeo: drop vulnerable Bug: https://bugs.gentoo.org/710736 Signed-off-by: Aaron Bauman <bman@gentoo.org> app-emulation/skopeo/Manifest | 2 - app-emulation/skopeo/skopeo-0.1.40-r1.ebuild | 62 ---------------------------- 2 files changed, 64 deletions(-) |