Disclaimer: I haven't tested it practically but eyeball-verified that the code is vulnerable. The signature verification in emerge-webrsync (which has been copied into emerge-delta-webrsync as well) pretty much boils down to running 'gpg --verify ...' and checking the return code. However, gpg will return a successful return code if the signature is valid but has been made by *revoked* key. It's basically the same problem as bug #570734 but it has been ignored there because the submitter noticed only that it applies to expired keys. However, the lack of explicit gpg status code verification means the verification will only fail if there is no signature, no matching key or the signature is bad. Untrusted, expired and revoked keys are merely reported as warnings. This means that if a malicious third party obtains the Gentoo snapshot signing key and Infra revokes it, and even if user makes sure to regularly refresh the keys and gpg actually fetches the revocation, emerge-webrsync will still proceed with the update and exit successfully. The revocation warning can be easily missed in the following output or when the job is run automated.
Please review: https://gitweb.gentoo.org/proj/portage.git/commit/?id=ffd68477e5c1e1badf60c86ae221c90dad50390d
At a first glance, it should fix the immediate problem. However, I hate it because it's yet another part of duplicated code in this ugly thing.
Strict signature check is enabled since sys-apps/portage-2.3.22: https://gitweb.gentoo.org/proj/portage.git/commit/?id=ffd68477e5c1e1badf60c86ae221c90dad50390d
*** Bug 570734 has been marked as a duplicate of this bug. ***
Also fixed in app-portage/emerge-delta-webrsync-3.7.4: https://gitweb.gentoo.org/proj/portage.git/commit/?id=52d5d444ffb144911ca9b6e70b383405a8bd8af6
Please clean-up, version 2.3.8 : 0
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf2a7ad91461e9d48b8abc66726ab80d22d7209c commit cf2a7ad91461e9d48b8abc66726ab80d22d7209c Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2019-03-12 07:37:29 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2019-03-12 07:39:36 +0000 sys-apps/portage: remove version 2.3.8 Bug: https://bugs.gentoo.org/646212 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/portage/Manifest | 1 - sys-apps/portage/portage-2.3.8.ebuild | 244 ---------------------------------- 2 files changed, 245 deletions(-)
@arches, please stabilize.
Stable candidate should now be emerge-delta-webrsync-3.7.5.
amd64 stable
x86 stable
alpha stable
ia64 stable
ppc stable
@portage, please drop vulnerable.
This issue was resolved and addressed in GLSA 201904-11 at https://security.gentoo.org/glsa/201904-11 by GLSA coordinator Aaron Bauman (b-man).
