CVE-2020-8945

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
gpgme_projectgpgme
𝑥
< 0.1.1
redhatopenshift_container_platform
3.11
redhatopenshift_container_platform
4.1
redhatopenshift_container_platform
4.2
redhatopenshift_container_platform
4.3
redhatopenshift_container_platform
4.4
redhatopenshift_container_platform
4.5
redhatopenshift_container_platform_for_ibm_z
4.1
redhatopenshift_container_platform_for_ibm_z
4.2
redhatopenshift_container_platform_for_linuxone
4.1
redhatopenshift_container_platform_for_linuxone
4.2
redhatenterprise_linux_for_ibm_z_systems
7.0
redhatenterprise_linux_for_power_little_endian
7.0
redhatenterprise_linux_server
7.0
redhatenterprise_linux_workstation
7.0
redhatopenshift_container_platform
3.11
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-proglottis-gpgme
bullseye
0.1.1-1
fixed
buster
postponed
sid
0.1.1-2
fixed
trixie
0.1.1-2
fixed
bookworm
0.1.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-proglottis-gpgme
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
needs-triage
eoan
ignored
bionic
dne
xenial
dne
trusty
dne
singularity-container
noble
needs-triage
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
eoan
ignored
bionic
needs-triage
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2020:0679
https://access.redhat.com/errata/RHSA-2020:0689
https://access.redhat.com/errata/RHSA-2020:0697
https://bugzilla.redhat.com/show_bug.cgi?id=1795838
https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1
https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1
https://github.com/proglottis/gpgme/pull/23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/
https://access.redhat.com/errata/RHSA-2020:0679
https://access.redhat.com/errata/RHSA-2020:0689
https://access.redhat.com/errata/RHSA-2020:0697
https://bugzilla.redhat.com/show_bug.cgi?id=1795838
https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1
https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1
https://github.com/proglottis/gpgme/pull/23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/