Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829116 (CVE-2020-16154) - dev-perl/App-cpanminus: signature verification bypass
Summary: dev-perl/App-cpanminus: signature verification bypass
Status: CONFIRMED
Alias: CVE-2020-16154
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://blog.hackeriet.no/cpan-signat...
Whiteboard: B2 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-13 19:50 UTC by John Helmert III
Modified: 2023-06-22 05:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-13 19:50:16 UTC
CVE-2020-16154:

The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.

I can't tell if there's a fixed version based on URL.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2021-12-18 16:02:08 UTC
No motion upstream since 2018... 108 open bugs...

That said, by default cpanm doesnt verify signatures at all anyway.

https://metacpan.org/pod/App::cpanminus
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-06-22 05:01:40 UTC
commit 03300f1d7970874eee8c3a14e1060de6036ce696
Author: Sam James <sam@gentoo.org>
Date:   Thu Jun 22 05:30:12 2023 +0100

    dev-perl/App-cpanminus: add 1.704.600

    Signed-off-by: Sam James <sam@gentoo.org>

Not sure if it counts as a fix though.. Changes (https://metacpan.org/dist/App-cpanminus/changes) says:
"""

1.7045  2022-01-26 19:03:44 PST
   [Security]
      - [CVE-2020-16154] remove the functionality to verify CHECKSUMS signature
"""