Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 829116 (CVE-2020-16154)

Summary: dev-perl/App-cpanminus: signature verification bypass
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: perl
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
Whiteboard: B2 [upstream]
Package list:
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2021-12-13 19:50:16 UTC
CVE-2020-16154:

The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.

I can't tell if there's a fixed version based on URL.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2021-12-18 16:02:08 UTC
No motion upstream since 2018... 108 open bugs...

That said, by default cpanm doesnt verify signatures at all anyway.

https://metacpan.org/pod/App::cpanminus