Gentoo Portage missing PGP validation of executed code

GHSA-pw5x-x5jw-ccmh · CVE-2016-20021 · PYSEC-2024-10

Published Jan 12, 2024 · Modified Aug 30, 2024

Description

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-20021
WEB https://github.com/gentoo/portage/commit/28cd240fb23d880b8641a058831c6762db71c3e2
WEB https://bugs.gentoo.org/597800
PACKAGE https://github.com/gentoo/portage
WEB https://github.com/pypa/advisory-database/tree/main/vulns/portage/PYSEC-2024-10.yaml
WEB https://gitweb.gentoo.org/proj/portage.git/tree/NEWS
WEB https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b3c80502e96406b4b175e2ee79eb65f3f3cd9f6
WEB https://wiki.gentoo.org/wiki/Portage

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes