829116 – (CVE-2020-16154) dev-perl/App-cpanminus: signature verification bypass

Bug 829116 (CVE-2020-16154) - dev-perl/App-cpanminus: signature verification bypass

Summary: dev-perl/App-cpanminus: signature verification bypass

Status:	CONFIRMED

Alias:	CVE-2020-16154

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://blog.hackeriet.no/cpan-signat...
Whiteboard:	B2 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2021-12-13 19:50 UTC by John Helmert III
Modified:	2021-12-18 16:02 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III gentoo-dev

2021-12-13 19:50:16 UTC

CVE-2020-16154:

The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.

I can't tell if there's a fixed version based on URL.

Comment 1 Andreas K. Hüttel archtester

2021-12-18 16:02:08 UTC

No motion upstream since 2018... 108 open bugs...

That said, by default cpanm doesnt verify signatures at all anyway.

https://metacpan.org/pod/App::cpanminus