oss-sec mailing list archives

Re: CVE Request: Man in the middle on Gentoo Portage binary package installer

From: Pavel Labushev <pavel.labushev () runbox no>
Date: Mon, 20 May 2013 19:48:23 +0800

On Wed, 15 May 2013 12:46:57 +0200
"Jason A. Donenfeld" <Jason () zx2c4 com> wrote:

I reported this to the maintainer of Portage in Gentoo Bug #469888
[1], and it was fixed in commit b5969af9f5 [2].

Do note that while this commit solves the immediate problem with
fetching /Packages, as detailed above, there may be other additional
unconfirmed insecure uses of the vulnerable urlopen() function that
have not yet been analyzed or fixed.


emerge --sync uses plain rsync without any integrity verification. One
should worry about /Packages not before he started obtaining portage
tree using emerge-webrsync together with the webrsync-gpg feature
instead of emerge --sync.

Attachment: _bin
Description:

Current thread:

CVE Request: Man in the middle on Gentoo Portage binary package installer Jason A. Donenfeld (May 15)
- Re: CVE Request: Man in the middle on Gentoo Portage binary package installer Kurt Seifried (May 15)
- Re: CVE Request: Man in the middle on Gentoo Portage binary package installer Pavel Labushev (May 20)