Main Vulnerability Database Vulnerabilities #VU41273

Cryptographic issues in Portage - CVE-2013-2100

Published: September 30, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41273

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2013-2100

CWE-ID: CWE-310

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Gentoo

Affected software:
Portage

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate.

How to mitigate CVE-2013-2100

Install update from vendor's website.

Sources

http://openwall.com/lists/oss-security/2013/05/15/5
http://openwall.com/lists/oss-security/2013/05/16/3
http://www.securityfocus.com/bid/59878
https://bugs.gentoo.org/show_bug.cgi?id=469888
https://exchange.xforce.ibmcloud.com/vulnerabilities/84315
https://security.gentoo.org/glsa/201507-16

Cryptographic issues in Portage - CVE-2013-2100

Detailed vulnerability description

How to mitigate CVE-2013-2100

Sources

Please verify you're human