Bug 829116 (CVE-2020-16154)

Summary:	dev-perl/App-cpanminus: signature verification bypass
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	normal	CC:	perl
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
Whiteboard:	B2 [upstream]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-12-13 19:50:16 UTC

CVE-2020-16154:

The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.

I can't tell if there's a fixed version based on URL.

Comment 1 Andreas K. Hüttel archtester

2021-12-18 16:02:08 UTC

No motion upstream since 2018... 108 open bugs...

That said, by default cpanm doesnt verify signatures at all anyway.

https://metacpan.org/pod/App::cpanminus

Comment 2 Sam James archtester

2023-06-22 05:01:40 UTC

commit 03300f1d7970874eee8c3a14e1060de6036ce696
Author: Sam James <sam@gentoo.org>
Date:   Thu Jun 22 05:30:12 2023 +0100

    dev-perl/App-cpanminus: add 1.704.600

    Signed-off-by: Sam James <sam@gentoo.org>

Not sure if it counts as a fix though.. Changes (https://metacpan.org/dist/App-cpanminus/changes) says:
"""

1.7045  2022-01-26 19:03:44 PST
   [Security]
      - [CVE-2020-16154] remove the functionality to verify CHECKSUMS signature
"""