PT-2014-2550 · Gentoo · Gentoo Portage

Jason A. Donenfeld

Published

2014-09-29

Updated

2022-05-17

CVE-2013-2100

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Gentoo Portage version 2.1.12

Description The issue concerns the urlopen function in Gentoo Portage, which fails to verify X.509 certificates from SSL servers when using HTTPS. This allows man-in-the-middle attackers to spoof servers and modify binary package lists by using a crafted certificate.

Recommendations For Gentoo Portage version 2.1.12, consider disabling the urlopen function until a patch is available, or apply configuration changes to enforce certificate verification for HTTPS connections.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

CVE-2013-2100

GHSA-8823-XPHR-QW9V

PYSEC-2014-115

Affected Products

Gentoo Portage

PT-2014-2550 · Gentoo · Gentoo Portage

CVE-2013-2100

Weakness Enumeration

Related Identifiers

Affected Products

References · 12