CVE-2020-8945: 
NixOS vulnerability analysis and mitigation

CVE-2020-8945 affects the proglottis Go wrapper for the GPGME library versions before 0.1.1. The vulnerability was discovered in early 2020 and involves a use-after-free condition that occurs during container image pulls by Docker or CRI-O (NVD).

The vulnerability stems from a use-after-free condition in the Go wrapper's interaction with GPGME C library during GPG signature verification. The issue occurs because the Go wrapper does not properly mark data structures or pointers to be kept alive by the Go runtime. During GPG binary execution, the Golang garbage collector can potentially free referenced C structures while they are still needed, leading to the use-after-free scenario when the GPG binary finishes executing (Bugzilla). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

This vulnerability can lead to a crash or potential code execution during GPG signature verification when pulling container images. The issue affects various container tools including Docker and CRI-O that use this library for GPG signature verification (NVD).

The vulnerability was fixed in version 0.1.1 of the proglottis/gpgme library. The fix involves explicitly extending the lifetime of objects using runtime.KeepAlive to ensure C structures aren't deallocated while still in use (Github PR). Red Hat has released several security advisories (RHSA-2020:0679, RHSA-2020:0689, RHSA-2020:0697) to address this vulnerability in affected products (Red Hat Advisory).