CVE-2020-8945: Use After Free
First published: Thu Jan 16 2020(Updated: )
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/skopeo | <1:0.1.40-7.el7_8 | 1:0.1.40-7.el7_8 |
| redhat/buildah | <0:1.11.6-8.el7_8 | 0:1.11.6-8.el7_8 |
| redhat/docker | <2:1.13.1-161.git64e9980.el7_8 | 2:1.13.1-161.git64e9980.el7_8 |
| redhat/podman | <0:1.6.4-18.el7_8 | 0:1.6.4-18.el7_8 |
| redhat/atomic-openshift | <0:3.11.248-1.git.0.92ee8ac.el7 | 0:3.11.248-1.git.0.92ee8ac.el7 |
| redhat/skopeo | <1:0.1.32-6.git1715c90.el8_0 | 1:0.1.32-6.git1715c90.el8_0 |
| redhat/skopeo | <1:0.1.32-7.git1715c90.rhaos4.2.el8 | 1:0.1.32-7.git1715c90.rhaos4.2.el8 |
| redhat/openshift-clients | <0:4.2.32-202005020632.git.1.1b0fab9.el8 | 0:4.2.32-202005020632.git.1.1b0fab9.el8 |
| redhat/cri-o | <0:1.16.4-1.dev.rhaos4.3.git9238eee.el7 | 0:1.16.4-1.dev.rhaos4.3.git9238eee.el7 |
| redhat/openshift-clients | <0:4.3.7-202003130552.git.0.6027a27.el8 | 0:4.3.7-202003130552.git.0.6027a27.el8 |
| redhat/skopeo | <1:0.1.40-4.rhaos.el8 | 1:0.1.40-4.rhaos.el8 |
| redhat/podman | <0:1.6.4-10.rhaos4.3.el8 | 0:1.6.4-10.rhaos4.3.el8 |
| redhat/cri-o | <0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8 | 0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8 |
| redhat/machine-config-daemon | <0:4.4.0-202007092124.p0.git.2349.08d34d1.el8 | 0:4.4.0-202007092124.p0.git.2349.08d34d1.el8 |
| redhat/machine-config-daemon | <0:4.5.0-202007012112.p0.git.2527.d12c3da.el8 | 0:4.5.0-202007012112.p0.git.2527.d12c3da.el8 |
| Gpgme Project Gpgme | <0.1.1 | |
| Redhat Openshift Container Platform | =3.11 | |
| Redhat Openshift Container Platform | =4.1 | |
| Redhat Openshift Container Platform | =4.2 | |
| Redhat Openshift Container Platform | =4.3 | |
| Redhat Openshift Container Platform | =4.4 | |
| Redhat Openshift Container Platform | =4.5 | |
| Redhat Openshift Container Platform For Ibm Z | =4.1 | |
| Redhat Openshift Container Platform For Ibm Z | =4.2 | |
| Redhat Openshift Container Platform For Linuxone | =4.1 | |
| Redhat Openshift Container Platform For Linuxone | =4.2 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Redhat Enterprise Linux For Ibm Z Systems | =7.0 | |
| Redhat Enterprise Linux For Power Little Endian | =7.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Workstation | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-8945 https://nvd.nist.gov/vuln/detail/CVE-2020-8945
- https://bugzilla.redhat.com/show_bug.cgi?id=1795838
- https://access.redhat.com/errata/RHSA-2020:1230
- https://access.redhat.com/errata/RHSA-2020:1231
- https://access.redhat.com/errata/RHSA-2020:1234
- https://access.redhat.com/errata/RHSA-2020:2117
- https://access.redhat.com/errata/RHSA-2020:2992
- https://access.redhat.com/errata/RHSA-2020:0697
- https://access.redhat.com/errata/RHSA-2020:1402
- https://access.redhat.com/errata/RHSA-2020:3167
- https://access.redhat.com/errata/RHSA-2020:0689
- https://access.redhat.com/errata/RHSA-2020:2027
- https://access.redhat.com/errata/RHBA-2020:1255
- https://access.redhat.com/errata/RHSA-2020:0863
- https://access.redhat.com/errata/RHSA-2020:0928
- https://access.redhat.com/errata/RHSA-2020:0679
- https://access.redhat.com/errata/RHSA-2020:1396
- https://access.redhat.com/errata/RHSA-2020:1937
- https://access.redhat.com/errata/RHSA-2020:2927
- https://access.redhat.com/errata/RHSA-2020:2413
- https://access.redhat.com/security/cve/cve-2020-8945
- https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1
- https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1
- https://github.com/proglottis/gpgme/pull/23
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802897
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802898
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802899
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802900
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802901
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802902
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802905
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802903
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802904
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802906
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1803583
- https://access.redhat.com/errata/RHSA-2020:0934
- https://access.redhat.com/errata/RHSA-2020:1940
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-8945?
CVE-2020-8945 is a use-after-free vulnerability found in the Go GPGME wrapper library, github.com/proglottis/gpgme.
What is the severity level of CVE-2020-8945?
The severity level of CVE-2020-8945 is high with a CVSS score of 7.5.
How does CVE-2020-8945 impact Go applications?
CVE-2020-8945 can cause crashes or potential code execution in Go applications that use the vulnerable Go GPGME wrapper library.
Which versions of the proglottis/gpgme library are affected by CVE-2020-8945?
Versions up to and excluding 0.1.1 of the proglottis/gpgme library are affected by CVE-2020-8945.
Where can I find more information about CVE-2020-8945?
You can find more information about CVE-2020-8945 at the following references: [Link 1](https://github.com/proglottis/gpgme/pull/23), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802897), [Link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802898).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-8945
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/tags
- agent/event
- agent/description
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/gpgme project
- canonical/gpgme project gpgme
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/3.11
- version/redhat openshift container platform/4.1
- version/redhat openshift container platform/4.2
- version/redhat openshift container platform/4.3
- version/redhat openshift container platform/4.4
- version/redhat openshift container platform/4.5
- canonical/redhat openshift container platform for ibm z
- version/redhat openshift container platform for ibm z/4.1
- version/redhat openshift container platform for ibm z/4.2
- canonical/redhat openshift container platform for linuxone
- version/redhat openshift container platform for linuxone/4.1
- version/redhat openshift container platform for linuxone/4.2
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/7.0
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0