oss-sec mailing list archives
Re: CVE Request: Man in the middle on Gentoo Portage binary package installer
From: Pavel Labushev <pavel.labushev () runbox no>
Date: Mon, 20 May 2013 19:48:23 +0800
On Wed, 15 May 2013 12:46:57 +0200 "Jason A. Donenfeld" <Jason () zx2c4 com> wrote:
I reported this to the maintainer of Portage in Gentoo Bug #469888 [1], and it was fixed in commit b5969af9f5 [2]. Do note that while this commit solves the immediate problem with fetching /Packages, as detailed above, there may be other additional unconfirmed insecure uses of the vulnerable urlopen() function that have not yet been analyzed or fixed.
emerge --sync uses plain rsync without any integrity verification. One should worry about /Packages not before he started obtaining portage tree using emerge-webrsync together with the webrsync-gpg feature instead of emerge --sync.
Attachment:
_bin
Description:
Current thread:
- CVE Request: Man in the middle on Gentoo Portage binary package installer Jason A. Donenfeld (May 15)
- Re: CVE Request: Man in the middle on Gentoo Portage binary package installer Kurt Seifried (May 15)
- Re: CVE Request: Man in the middle on Gentoo Portage binary package installer Pavel Labushev (May 20)