In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.
References
Link | Resource |
---|---|
https://bugs.gentoo.org/597800 | Issue Tracking Patch |
https://gitweb.gentoo.org/proj/portage.git/tree/NEWS | Release Notes |
https://wiki.gentoo.org/wiki/Portage | Product |
Configurations
History
22 Jan 2024, 16:27
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:gentoo:portage:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Gentoo
Gentoo portage |
|
References | () https://bugs.gentoo.org/597800 - Issue Tracking, Patch | |
References | () https://gitweb.gentoo.org/proj/portage.git/tree/NEWS - Release Notes | |
References | () https://wiki.gentoo.org/wiki/Portage - Product | |
CWE | CWE-347 |
17 Jan 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable. |
12 Jan 2024, 13:47
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
12 Jan 2024, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-12 03:15
Updated : 2024-01-22 16:27
NVD link : CVE-2016-20021
Mitre link : CVE-2016-20021
CVE.ORG link : CVE-2016-20021
JSON object : View
Products Affected
gentoo
- portage
CWE
CWE-347
Improper Verification of Cryptographic Signature