Portage: Unverified PGP Signatures — GLSA 202409-01

A vulnerability has been discovered in Portage, where PGP signatures would not be verified.

Affected packages

sys-apps/portage on all architectures
Affected versions < 3.0.47
Unaffected versions >= 3.0.47

Background

Portage is the default Gentoo package management system.

Description

Multiple vulnerabilities have been discovered in Portage. Please review the CVE identifiers referenced below for details.

Impact

When using the webrsync mechanism to sync the tree the PGP signatures that protect the integrity of the data in the tree would not be verified. This would allow a man-in-the-middle attack to inject arbitrary content into the tree.

Workaround

There is no known workaround at this time.

Resolution

All Portage users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/portage-3.0.47"
 

References

Release date
September 22, 2024

Latest revision
September 22, 2024: 1

Severity
normal

Exploitable
local

Bugzilla entries