Disclaimer: I haven't tested it practically but eyeball-verified that the code is vulnerable.
The signature verification in emerge-webrsync (which has been copied into emerge-delta-webrsync as well) pretty much boils down to running 'gpg --verify ...' and checking the return code. However, gpg will return a successful return code if the signature is valid but has been made by *revoked* key.
It's basically the same problem as bug #570734 but it has been ignored there because the submitter noticed only that it applies to expired keys. However, the lack of explicit gpg status code verification means the verification will only fail if there is no signature, no matching key or the signature is bad. Untrusted, expired and revoked keys are merely reported as warnings.
This means that if a malicious third party obtains the Gentoo snapshot signing key and Infra revokes it, and even if user makes sure to regularly refresh the keys and gpg actually fetches the revocation, emerge-webrsync will still proceed with the update and exit successfully. The revocation warning can be easily missed in the following output or when the job is run automated.
At a first glance, it should fix the immediate problem. However, I hate it because it's yet another part of duplicated code in this ugly thing.
Strict signature check is enabled since sys-apps/portage-2.3.22:
*** Bug 570734 has been marked as a duplicate of this bug. ***
Also fixed in app-portage/emerge-delta-webrsync-3.7.4:
Please clean-up, version 2.3.8 : 0
The bug has been referenced in the following commit(s):
Author: Zac Medico <email@example.com>
AuthorDate: 2019-03-12 07:37:29 +0000
Commit: Zac Medico <firstname.lastname@example.org>
CommitDate: 2019-03-12 07:39:36 +0000
sys-apps/portage: remove version 2.3.8
Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Zac Medico <email@example.com>
sys-apps/portage/Manifest | 1 -
sys-apps/portage/portage-2.3.8.ebuild | 244 ----------------------------------
2 files changed, 245 deletions(-)
@arches, please stabilize.
Stable candidate should now be emerge-delta-webrsync-3.7.5.
@portage, please drop vulnerable.
This issue was resolved and addressed in
GLSA 201904-11 at https://security.gentoo.org/glsa/201904-11
by GLSA coordinator Aaron Bauman (b-man).