Gentoo

By the Year

In 2025 there have been 5 vulnerabilities in Gentoo with an average score of 7.3 out of ten. Last year, in 2024 Gentoo had 3 security vulnerabilities published. That is, 2 more vulnerabilities have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 0.85

Recent Gentoo Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2024-12084	Jan 15, 2025	rsync Daemon Heap Bof via Checksum Length Overrun A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.	Linux
CVE-2024-12085	Jan 14, 2025	Rsync: Checksum Length Manipulation Enables Stack Data Leak A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.	Linux
CVE-2024-12086	Jan 14, 2025	Rsync Server Remote File Enumeration via Checksum Exploit A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.	Linux
CVE-2024-12087	Jan 14, 2025	Path traversal in rsync via --inc-recursive option A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.	Linux
CVE-2024-12088	Jan 14, 2025	Rsync --safe-links Path Traversal, Arbitrary File Write A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.	Linux
CVE-2023-52046	Jan 25, 2024	Webmin 2.105 XSS via Execute cron job as field Cross Site Scripting vulnerability (XSS) in webmin v.2.105 and earlier allows a remote attacker to execute arbitrary code via a crafted payload to the "Execute cron job as" tab Input field.	Webmin
CVE-2020-36770	Jan 15, 2024	Slurm pkg_postinst chown flaw allows owner escalation pre-22.05.3 pkg_postinst in the Gentoo ebuild for Slurm through 22.05.3 unnecessarily calls chown to assign root's ownership on files in the live root filesystem. This could be exploited by the slurm user to become the owner of root-owned files.	Ebuild For Slurm
CVE-2016-20021	Jan 12, 2024	Gentoo Portage<3.0.47: emerge-webrsync Missing PGP Validation In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.	Portage
CVE-2023-28424	Mar 20, 2023	Soko if the code that powers packages.gentoo.org Soko if the code that powers packages.gentoo.org. Prior to version 1.0.2, the two package search handlers, `Search` and `SearchFeed`, implemented in `pkg/app/handler/packages/search.go`, are affected by a SQL injection via the `q` parameter. As a result, unauthenticated attackers can execute arbitrary SQL queries on `https://packages.gentoo.org/`. It was also demonstrated that primitive was enough to gain code execution in the context of the PostgreSQL container. The issue was addressed in commit `4fa6e4b619c0362728955b6ec56eab0e0cbf1e23y` of version 1.0.2 using prepared statements to interpolate user-controlled data in SQL queries.	Soko
CVE-2023-26033	Feb 25, 2023	Gentoo soko is the code that powers packages.gentoo.org Gentoo soko is the code that powers packages.gentoo.org. Versions prior to 1.0.1 are vulnerable to SQL Injection, leading to a Denial of Service. If the user selects (in user preferences) the "Recently Visited Packages" view for the index page, the value of the `search_history` cookie is used as a base64 encoded comma separated list of atoms. These are string loaded directly into the SQL query with `atom = '%s'` format string. As a result, any user can modify the browser's cookie value and inject most SQL queries. A proof of concept malformed cookie was generated that wiped the database or changed it's content. On the database, only public data is stored, so there is no confidentiality issues to site users. If it is known that the database was modified, a full restoration of data is possible by performing a full database wipe and performing full update of all components. This issue is patched with commit id 5ae9ca83b73. Version 1.0.1 contains the patch. If users are unable to upgrade immediately, the following workarounds may be applied: (1.) Use a proxy to always drop the `search_history` cookie until upgraded. The impact on user experience is low. (2.) Sanitize to the value of `search_history` cookie after base64 decoding it.	Soko
CVE-2019-20384	Jan 21, 2020	Gentoo Portage through 2.3.84 Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners.	Portage
CVE-2013-0348	Dec 13, 2013	thttpd.c in sthttpd before 2.26.4-r2 and thttpd 2.25b use world-readable permissions for /var/log/thttpd.log, which thttpd.c in sthttpd before 2.26.4-r2 and thttpd 2.25b use world-readable permissions for /var/log/thttpd.log, which allows local users to obtain sensitive information by reading the file.	Linux
CVE-2011-1098	Mar 30, 2011	Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place.	Logrotate
CVE-2008-4580	Oct 15, 2008	fence_manual, as used in fence 2.02.00-r1 and possibly cman fence_manual, as used in fence 2.02.00-r1 and possibly cman, allows local users to modify arbitrary files via a symlink attack on the fence_manual.fifo temporary file.	Cman Fence
CVE-2008-4579	Oct 15, 2008	The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a) fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a) fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode, allows local users to append to arbitrary files via a symlink attack on the apclog temporary file.	Cman Fence
CVE-2008-1078	Feb 29, 2008	expn in the am-utils and net-fs packages for Gentoo, rPath Linux, and other distributions expn in the am-utils and net-fs packages for Gentoo, rPath Linux, and other distributions, allows local users to overwrite arbitrary files via a symlink attack on the expn[PID] temporary file. NOTE: this is the same issue as CVE-2003-0308.1.	Linux
CVE-2007-3508	Jul 03, 2007	Integer overflow in the process_envvars function in elf/rtld.c in glibc before 2.5-rc4 might Integer overflow in the process_envvars function in elf/rtld.c in glibc before 2.5-rc4 might allow local users to execute arbitrary code via a large LD_HWCAP_MASK environment variable value. NOTE: the glibc maintainers state that they do not believe that this issue is exploitable for code execution	Glibc
CVE-2004-1027	Mar 01, 2005	Directory traversal vulnerability in the -x (extract) command line option in unarj allows remote attackers to overwrite arbitrary files via an arj archive with filenames Directory traversal vulnerability in the -x (extract) command line option in unarj allows remote attackers to overwrite arbitrary files via an arj archive with filenames that contain .. (dot dot) sequences.	Linux
CVE-2004-0937	Feb 09, 2005	Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0 Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.	Linux
CVE-2004-0933	Jan 27, 2005	Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 through r7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor 2.0 through 2.4, and EZ-Antivirus 6.1 through 6.3 Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 through r7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor 2.0 through 2.4, and EZ-Antivirus 6.1 through 6.3 allow remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.	Linux
CVE-2004-0932	Jan 27, 2005	McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.	Linux
CVE-2004-0936	Jan 27, 2005	RAV antivirus allows remote attackers to bypass antivirus protection RAV antivirus allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.	Linux
CVE-2004-0935	Jan 27, 2005	Eset Anti-Virus before 1.020 (16th September 2004) Eset Anti-Virus before 1.020 (16th September 2004) allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.	Linux
CVE-2004-0934	Jan 27, 2005	Kaspersky 3.x to 4.x Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.	Linux
CVE-2004-1096	Jan 10, 2005	Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.	Linux
CVE-2004-1106	Jan 10, 2005	Cross-site scripting (XSS) vulnerability in Gallery 1.4.4-pl3 and earlier Cross-site scripting (XSS) vulnerability in Gallery 1.4.4-pl3 and earlier allows remote attackers to execute arbitrary web script or HTML via "specially formed URLs," possibly via the include parameter in index.php.	Linux
CVE-2004-1901	Dec 31, 2004	Portage before 2.0.50-r3 Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.	Linux Portage
CVE-2004-1491	Dec 31, 2004	Opera 7.54 and earlier uses kfmclient exec to handle unknown MIME types, which allows remote attackers to execute arbitrary code via a shortcut or launcher Opera 7.54 and earlier uses kfmclient exec to handle unknown MIME types, which allows remote attackers to execute arbitrary code via a shortcut or launcher that contains an Exec entry.	Linux
CVE-2004-0633	Dec 06, 2004	The iSNS dissector for Ethereal 0.10.3 through 0.10.4 The iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote attackers to cause a denial of service (process abort) via an integer overflow.	Linux
CVE-2004-0634	Dec 06, 2004	The SMB SID snooping capability in Ethereal 0.9.15 to 0.10.4 The SMB SID snooping capability in Ethereal 0.9.15 to 0.10.4 allows remote attackers to cause a denial of service (process crash) via a handle without a policy name, which causes a null dereference.	Linux
CVE-2004-0635	Dec 06, 2004	The SNMP dissector in Ethereal 0.8.15 through 0.10.4 The SNMP dissector in Ethereal 0.8.15 through 0.10.4 allows remote attackers to cause a denial of service (process crash) via a (1) malformed or (2) missing community string, which causes an out-of-bounds read.	Linux
CVE-2004-0809	Sep 16, 2004	The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.	Linux
CVE-2004-0667	Aug 06, 2004	Rule Set Based Access Control (RSBAC) 1.2.2 through 1.2.3 Rule Set Based Access Control (RSBAC) 1.2.2 through 1.2.3 allows access to sys_creat, sys_open, and sys_mknod inside jails, which could allow local users to gain elevated privileges.	Linux
CVE-2004-0493	Aug 06, 2004	The ap_get_mime_headers_core function in Apache httpd 2.0.49 The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.	Linux
CVE-2004-0488	Jul 07, 2004	Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.	Linux
CVE-2002-1337	Mar 07, 2003	Buffer overflow in Sendmail 5.79 to 8.12.7 Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.	Linux