Improper Verification of Cryptographic Signature Affecting portage package, versions [,3.0.69)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-PORTAGE-13537509
- published13 Oct 2025
- disclosed2 Oct 2025
- creditUnknown
Introduced: 2 Oct 2025
New CVE NOT AVAILABLE CWE-347 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade portage to version 3.0.69 or higher.
Overview
portage is a Portage is the package management and distribution system for Gentoo
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the check_file_signature_gpg_unwrapped() function. Due to the lack of enforcing of the presence of VALIDSIG and TRUST_ULTIMATE and trailing space requirements in "[GNUPG:] GOODSIG", GOODSIG/VALIDSIG/TRUST_NEVER or TRUST_UNDEFINED outputs cab be misinterpreted as a valid, ultimately trusted signature while validating repository snapshot signatures.