portage 3.0.66 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the portage package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Command Injection portage is a Portage is the package management and distribution system for Gentoo Affected versions of this package are vulnerable to Command Injection due to evaluating untrusted timestamp fields in a Bash arithmetic context via command substitution. The `bin/emerge-webrsync` functions `get_repository_timestamp()` and `get_snapshot_timestamp()` previously extracted the first field of `metadata/timestamp.x` without integer validation, and the `do_snapshot()` and `do_latest_snapshot()` call sites compared values using `(( snapshot_timestamp < $(get_repository_timestamp) ))`, allowing untrusted input to be parsed with command substitution. How to fix Command Injection? Upgrade `portage` to version 3.0.69 or higher.	[,3.0.69)
H Improper Verification of Cryptographic Signature portage is a Portage is the package management and distribution system for Gentoo Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the `check_file_signature_gpg_unwrapped()` function. Due to the lack of enforcing of the presence of `VALIDSIG` and `TRUST_ULTIMATE` and trailing space requirements in `"[GNUPG:] GOODSIG"`, `GOODSIG/VALIDSIG/TRUST_NEVER` or `TRUST_UNDEFINED` outputs cab be misinterpreted as a valid, ultimately trusted signature while validating repository snapshot signatures. How to fix Improper Verification of Cryptographic Signature? Upgrade `portage` to version 3.0.69 or higher.	[,3.0.69)

Vulnerability

Vulnerable Version

Command Injection

portage is a Portage is the package management and distribution system for Gentoo

Affected versions of this package are vulnerable to Command Injection due to evaluating untrusted timestamp fields in a Bash arithmetic context via command substitution. The bin/emerge-webrsync functions get_repository_timestamp() and get_snapshot_timestamp() previously extracted the first field of metadata/timestamp.x without integer validation, and the do_snapshot() and do_latest_snapshot() call sites compared values using (( snapshot_timestamp < $(get_repository_timestamp) )), allowing untrusted input to be parsed with command substitution.

How to fix Command Injection?

Upgrade portage to version 3.0.69 or higher.

[,3.0.69)

Improper Verification of Cryptographic Signature

portage is a Portage is the package management and distribution system for Gentoo

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the check_file_signature_gpg_unwrapped() function. Due to the lack of enforcing of the presence of VALIDSIG and TRUST_ULTIMATE and trailing space requirements in "[GNUPG:] GOODSIG", GOODSIG/VALIDSIG/TRUST_NEVER or TRUST_UNDEFINED outputs cab be misinterpreted as a valid, ultimately trusted signature while validating repository snapshot signatures.

How to fix Improper Verification of Cryptographic Signature?

Upgrade portage to version 3.0.69 or higher.

[,3.0.69)

portage@3.0.66 vulnerabilities

Portage is the package management and distribution system for Gentoo

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically