Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wdzV4LXg1anctY2NtaM4AA4Z-
Gentoo Portage missing PGP validation of executed code
In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification.
Permalink: https://github.com/advisories/GHSA-pw5x-x5jw-ccmhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wdzV4LXg1anctY2NtaM4AA4Z-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 3 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pw5x-x5jw-ccmh, CVE-2016-20021
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-20021
- https://bugs.gentoo.org/597800
- https://gitweb.gentoo.org/proj/portage.git/tree/NEWS
- https://wiki.gentoo.org/wiki/Portage
- https://github.com/gentoo/portage/commit/28cd240fb23d880b8641a058831c6762db71c3e2
- https://github.com/pypa/advisory-database/tree/main/vulns/portage/PYSEC-2024-10.yaml
- https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b3c80502e96406b4b175e2ee79eb65f3f3cd9f6
- https://github.com/advisories/GHSA-pw5x-x5jw-ccmh
Blast Radius: 13.3
Affected Packages
pypi:portage
Dependent packages: 4Dependent repositories: 23
Downloads: 119,409 last month
Affected Version Ranges: >= 0, < 3.0.47
Fixed in: 3.0.47
All affected versions: 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.0.25, 3.0.26, 3.0.27, 3.0.28, 3.0.29, 3.0.30, 3.0.31, 3.0.32, 3.0.33, 3.0.34, 3.0.35, 3.0.36, 3.0.37, 3.0.38, 3.0.39, 3.0.40, 3.0.41, 3.0.42, 3.0.43, 3.0.44, 3.0.45, 3.0.46
All unaffected versions: 3.0.47, 3.0.48, 3.0.49, 3.0.50, 3.0.51, 3.0.52, 3.0.54, 3.0.55, 3.0.56, 3.0.57, 3.0.58, 3.0.59, 3.0.60, 3.0.61, 3.0.62, 3.0.63, 3.0.64, 3.0.65, 3.0.66