skopeo-0.1.40-7.0.1.el7.AXS7

The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.

Security Fix(es):

* proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Skopeo doesn't handle HTTP 429 errors properly

* skopeo does not show manifest manifest.list.v2 for special cases

* skopeo inspect results in panic: runtime error: invalid memory address or nil pointer dereference

* skopeo should be linked against gpgme-pthread

* docker won't start because registries service won't start

CVE-2020-8945
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.