Miggo Logo

CVE-2016-20021: Gentoo Portage missing PGP validation of executed code

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.16377%
Published
1/12/2024
Updated
8/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
portagepip>= 0, < 3.0.473.0.47

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing PGP validation in emerge-webrsync's handling of webrsync snapshots. The commit 28cd240 explicitly adds PGP verification via gemato and reworks the check_file_signature logic. The diff shows:

  1. Original check_file_signature lacked proper verification flows (relying on deprecated webrsync-gpg)
  2. do_snapshot fetched .gpgsig but didn't validate unless explicitly configured
  3. The patch introduces WEBRSYNC_VERIFY_SIGNATURE handling and gemato integration, confirming the prior absence of validation. These functions were directly responsible for the insecure behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **ntoo Port*** ***or* *.*.**, t**r* is missin* P*P v*li**tion o* *x**ut** *o**: t** st*n**lon* *m*r**-w**rsyn* *ownlo**s * .*p*si* *il* *ut *o*s not p*r*orm si*n*tur* v*ri*i**tion.

Reasoning

T** vuln*r**ility st*mm** *rom missin* P*P v*li**tion in *m*r**-w**rsyn*'s **n*lin* o* w**rsyn* sn*ps*ots. T** *ommit ******* *xpli*itly ***s P*P v*ri*i**tion vi* **m*to *n* r*works t** ****k_*il*_si*n*tur* lo*i*. T** *i** s*ows: *. Ori*in*l ****k_*i