github.com/proglottis/gpgme is vulnerable to use-after-free. The attack is possible because it allows malicious use for container image pulls by Docker or CRI-O, leading to an application crash or arbitrary code execution during GPG signature verification.
access.redhat.com/errata/RHSA-2020:0679
access.redhat.com/errata/RHSA-2020:0689
access.redhat.com/errata/RHSA-2020:0697
bugzilla.redhat.com/show_bug.cgi?id=1795838
github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1
github.com/proglottis/gpgme/commit/d575e5df6a8359a0ad12f59a8377d362c3eb6afd
github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1
github.com/proglottis/gpgme/pull/23
lists.fedoraproject.org/archives/list/[email protected]/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
lists.fedoraproject.org/archives/list/[email protected]/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/
lists.fedoraproject.org/archives/list/[email protected]/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/
lists.fedoraproject.org/archives/list/[email protected]/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/