Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 829118 (CVE-2020-16155)

Summary: <dev-perl/CPAN-Checksums-2.140.0: lacks definition of signed data (CVE-2020-16155)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: trivial CC: perl
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C4 [noglsa cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 833662    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-13 20:02:55 UTC

The CPAN::Checksums package 2.12 for Perl does not uniquely define signed data.

Not really sure about the impact of this, but also can't find a fixed version.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2021-12-18 15:45:05 UTC
This is mostly an issue that affects CPAN (the archive) itself, not so much one that affects user-run software.

I assume it's been fixed by the combination of
1) release 2.13 (introducing an additional path parameter) and
2) the way this is called on CPAN (something we can't verify without running the exploit).

So, not much to do here. I'll bump the module now, but unless you're running a clone of CPAN (not a mirror, but the root database), this shouldnt matter to you.
Comment 2 Larry the Git Cow gentoo-dev 2021-12-18 15:49:04 UTC
The bug has been referenced in the following commit(s):

commit 958aac2f4e591b7f67b712b3f1dee6469554610c
Author:     Andreas K. Hüttel <>
AuthorDate: 2021-12-18 15:48:41 +0000
Commit:     Andreas K. Hüttel <>
CommitDate: 2021-12-18 15:48:53 +0000

    dev-perl/CPAN-Checksums: Version bump 2.14
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <>

 .../CPAN-Checksums/CPAN-Checksums-2.140.0.ebuild   | 41 ++++++++++++++++++++++
 dev-perl/CPAN-Checksums/Manifest                   |  1 +
 2 files changed, 42 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-19 15:06:58 UTC
Please cleanup