Download phase: Octave's pkg subprogram (scripts/pkg/pkg.m:392) upon being issued "pkg install -forge <package_name>" from the interpreter or other code calls get_forge_download (scripts/pkg/private/get_forge_download.m) which calls get_forge_pkg (scripts/pkg/private/get_forge_pkg.m). This function returns an url of the form http://packages.octave.org/%s/index.html" that resolved to "http://sourceforge.net/projects/octave/files/". This url is then passed to urlwrite on scripts/pkg/pkg.m:395 that does the actual fetching. It does not seem to fetch any cryptographic signatures. This is bad for two reasons: 1) Octave fetches packages over an insecure channel (not very bad on its own, read below) 2) Octave fetches packages from _sourceforge_, which was found to be packaging adware into GIMP's installer [1]. Install phase: scripts/pkg/private/install.m:109 verify_directory (packdir); This function only ensures presence of "COPYING" and "DESCRIPTION" files. scripts/pkg/private/install.m:331 load_packages_and_dependencies ... This function calls load_package_dirs(...) and adds it to function search path. scripts/pkg/private/load_package_dirs.m: load_package_dirs(..) This function seems to only sort out the order in which the paths must be set up. grepping for 'pgp', 'gpg', 'checksum' and 'sha' comes up with no package integrity verification code at all! 1) The octave interpreter does not seem to restrict the code it interprets in any way. 2) A lot of the Octave packages (e.g. image-2.4.1, control-2.8.4, optim-1.3.0) contain source code intended for the package command to build and dynamically load into the interpreter: install.m calls configure_make() that then executes make in shell (line 91). While the presence of this does not seem to pose a security risk as soon as GNU Octave is installed by portage, there is no security warning issued to the pkg command user before the above happens or when Octave itself is installed. [1] http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/ Reproducible: Always All versions likely vulnerable.
Upstream added http://hg.savannah.gnu.org/hgweb/octave/rev/453fca9ae397 This warning is present in v4.2.0. Like upstream said in $URL this isn't ideal but nothing more to do for us. @ Maintainer(s): Can we stabilize =sci-mathematics/octave-4.2.0 to push the warning down to our users?
@ Arches, please test and mark stable: =sci-mathematics/octave-4.2.0-r2
Stopping stabilization due to open bugs.
Can we take a look at the bugs please so we can close this bug.
All vulnerable versions removed from tree. commit 8fc2192f2c98e1de3f9667d4d968141c6df8d55c Author: David Seifert <soap@gentoo.org> Date: Sun Jun 11 23:02:50 2017 +0200 sci-mathematics/octave: Remove old
Thank you all for you work. Closing as [noglsa].