First published: Thu Jan 16 2020(Updated: )
A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/skopeo | <1:0.1.40-7.el7_8 | 1:0.1.40-7.el7_8 |
redhat/buildah | <0:1.11.6-8.el7_8 | 0:1.11.6-8.el7_8 |
redhat/docker | <2:1.13.1-161.git64e9980.el7_8 | 2:1.13.1-161.git64e9980.el7_8 |
redhat/podman | <0:1.6.4-18.el7_8 | 0:1.6.4-18.el7_8 |
redhat/atomic-openshift | <0:3.11.248-1.git.0.92ee8ac.el7 | 0:3.11.248-1.git.0.92ee8ac.el7 |
redhat/skopeo | <1:0.1.32-6.git1715c90.el8_0 | 1:0.1.32-6.git1715c90.el8_0 |
redhat/skopeo | <1:0.1.32-7.git1715c90.rhaos4.2.el8 | 1:0.1.32-7.git1715c90.rhaos4.2.el8 |
redhat/openshift-clients | <0:4.2.32-202005020632.git.1.1b0fab9.el8 | 0:4.2.32-202005020632.git.1.1b0fab9.el8 |
redhat/cri-o | <0:1.16.4-1.dev.rhaos4.3.git9238eee.el7 | 0:1.16.4-1.dev.rhaos4.3.git9238eee.el7 |
redhat/openshift-clients | <0:4.3.7-202003130552.git.0.6027a27.el8 | 0:4.3.7-202003130552.git.0.6027a27.el8 |
redhat/skopeo | <1:0.1.40-4.rhaos.el8 | 1:0.1.40-4.rhaos.el8 |
redhat/podman | <0:1.6.4-10.rhaos4.3.el8 | 0:1.6.4-10.rhaos4.3.el8 |
redhat/cri-o | <0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8 | 0:1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8 |
redhat/machine-config-daemon | <0:4.4.0-202007092124.p0.git.2349.08d34d1.el8 | 0:4.4.0-202007092124.p0.git.2349.08d34d1.el8 |
redhat/machine-config-daemon | <0:4.5.0-202007012112.p0.git.2527.d12c3da.el8 | 0:4.5.0-202007012112.p0.git.2527.d12c3da.el8 |
Gpgme Project Gpgme | <0.1.1 | |
Redhat Openshift Container Platform | =3.11 | |
Redhat Openshift Container Platform | =4.1 | |
Redhat Openshift Container Platform | =4.2 | |
Redhat Openshift Container Platform | =4.3 | |
Redhat Openshift Container Platform | =4.4 | |
Redhat Openshift Container Platform | =4.5 | |
Redhat Openshift Container Platform For Ibm Z | =4.1 | |
Redhat Openshift Container Platform For Ibm Z | =4.2 | |
Redhat Openshift Container Platform For Linuxone | =4.1 | |
Redhat Openshift Container Platform For Linuxone | =4.2 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
Fedoraproject Fedora | =30 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Redhat Enterprise Linux For Ibm Z Systems | =7.0 | |
Redhat Enterprise Linux For Power Little Endian | =7.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Workstation | =7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-8945 is a use-after-free vulnerability found in the Go GPGME wrapper library, github.com/proglottis/gpgme.
The severity level of CVE-2020-8945 is high with a CVSS score of 7.5.
CVE-2020-8945 can cause crashes or potential code execution in Go applications that use the vulnerable Go GPGME wrapper library.
Versions up to and excluding 0.1.1 of the proglottis/gpgme library are affected by CVE-2020-8945.
You can find more information about CVE-2020-8945 at the following references: [Link 1](https://github.com/proglottis/gpgme/pull/23), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802897), [Link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802898).