In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.
The emerge-webrsync tool downloads a .gpgsig file containing a PGP signature, however it does not perform actual verification of this signature. This means that the downloaded and executed code is not checked for authenticity and integrity. An attacker who can intercept or modify downloaded data (e.g. through a man-in-the-middle attack or compromise of the source server) can deliver malicious code that will be executed without warning.
An attacker can cause arbitrary code execution on the system of a user using emerge-webrsync, which can result in complete system takeover, breach of confidentiality and data integrity.
Gentoo Portage should be updated to version 3.0.47 or later. Details available in the vendor references: https://gitweb.gentoo.org/proj/portage.git/tree/NEWS. Until the update is applied, avoid using the emerge-webrsync tool.
Gentoo Portage in versions before 3.0.47, only when the emerge-webrsync tool is used. Standard Portage use without emerge-webrsync is not vulnerable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGentoo Portage
APPGentoo< 3.0.47
Related vulnerabilities
Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which...
The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not veri...
Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugi...
Multiple untrusted search path vulnerabilities in Portage before 2.1.4.5 include the current working directory...
Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfil...