CRITICAL🇵🇱 Wersja polska

CVE-2016-20021

CVSS 9.8v3.1pub. 2024-01-12upd. 2025-06-03

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.

🤖 AI Analysis
How it works

The emerge-webrsync tool downloads a .gpgsig file containing a PGP signature, however it does not perform actual verification of this signature. This means that the downloaded and executed code is not checked for authenticity and integrity. An attacker who can intercept or modify downloaded data (e.g. through a man-in-the-middle attack or compromise of the source server) can deliver malicious code that will be executed without warning.

Impact

An attacker can cause arbitrary code execution on the system of a user using emerge-webrsync, which can result in complete system takeover, breach of confidentiality and data integrity.

Mitigation & patch

Gentoo Portage should be updated to version 3.0.47 or later. Details available in the vendor references: https://gitweb.gentoo.org/proj/portage.git/tree/NEWS. Until the update is applied, avoid using the emerge-webrsync tool.

Who is affected

Gentoo Portage in versions before 3.0.47, only when the emerge-webrsync tool is used. Standard Portage use without emerge-webrsync is not vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gentoo Portage

    APP
    Gentoo
    < 3.0.47
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2004-2778HIGH7.1ten sam produkt

Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which...

CVE-2013-2100HIGH9.3ten sam produkt

The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not veri...

CVE-2019-20384MEDIUM5.5ten sam produkt

Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugi...

CVE-2008-4394MEDIUM6.9ten sam produkt

Multiple untrusted search path vulnerabilities in Portage before 2.1.4.5 include the current working directory...

CVE-2004-1901MEDIUM5.5ten sam produkt

Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfil...