Command Injection Affecting portage package, versions [,3.0.69)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-PORTAGE-13537510
- published13 Oct 2025
- disclosed2 Oct 2025
- creditUnknown
Introduced: 2 Oct 2025
New CVE NOT AVAILABLE CWE-78 (opens in a new tab)How to fix?
Upgrade portage to version 3.0.69 or higher.
Overview
portage is a Portage is the package management and distribution system for Gentoo
Affected versions of this package are vulnerable to Command Injection due to evaluating untrusted timestamp fields in a Bash arithmetic context via command substitution. The bin/emerge-webrsync functions get_repository_timestamp() and get_snapshot_timestamp() previously extracted the first field of metadata/timestamp.x without integer validation, and the do_snapshot() and do_latest_snapshot() call sites compared values using (( snapshot_timestamp < $(get_repository_timestamp) )), allowing untrusted input to be parsed with command substitution.