| Summary: | <dev-perl/CPAN-Checksums-2.140.0: lacks definition of signed data (CVE-2020-16155) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | trivial | CC: | perl |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ | ||
| Whiteboard: | C4 [noglsa cleanup] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 833662 | ||
| Bug Blocks: | |||
|
Description
John Helmert III
2021-12-13 20:02:55 UTC
This is mostly an issue that affects CPAN (the archive) itself, not so much one that affects user-run software. I assume it's been fixed by the combination of 1) release 2.13 (introducing an additional path parameter) and 2) the way this is called on CPAN (something we can't verify without running the exploit). So, not much to do here. I'll bump the module now, but unless you're running a clone of CPAN (not a mirror, but the root database), this shouldnt matter to you. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=958aac2f4e591b7f67b712b3f1dee6469554610c commit 958aac2f4e591b7f67b712b3f1dee6469554610c Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-12-18 15:48:41 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-12-18 15:48:53 +0000 dev-perl/CPAN-Checksums: Version bump 2.14 Bug: https://bugs.gentoo.org/829118 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> .../CPAN-Checksums/CPAN-Checksums-2.140.0.ebuild | 41 ++++++++++++++++++++++ dev-perl/CPAN-Checksums/Manifest | 1 + 2 files changed, 42 insertions(+) Please cleanup |