Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829116 (CVE-2020-16154) - dev-perl/App-cpanminus: signature verification bypass
Summary: dev-perl/App-cpanminus: signature verification bypass
Status: CONFIRMED
Alias: CVE-2020-16154
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://blog.hackeriet.no/cpan-signat...
Whiteboard: B2 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-13 19:50 UTC by John Helmert III
Modified: 2021-12-18 16:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-12-13 19:50:16 UTC
CVE-2020-16154:

The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.

I can't tell if there's a fixed version based on URL.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2021-12-18 16:02:08 UTC
No motion upstream since 2018... 108 open bugs...

That said, by default cpanm doesnt verify signatures at all anyway.

https://metacpan.org/pod/App::cpanminus