The CPAN::Checksums package 2.12 for Perl does not uniquely define signed data.
Not really sure about the impact of this, but also can't find a fixed version.
This is mostly an issue that affects CPAN (the archive) itself, not so much one that affects user-run software.
I assume it's been fixed by the combination of
1) release 2.13 (introducing an additional path parameter) and
2) the way this is called on CPAN (something we can't verify without running the exploit).
So, not much to do here. I'll bump the module now, but unless you're running a clone of CPAN (not a mirror, but the root database), this shouldnt matter to you.
The bug has been referenced in the following commit(s):
Author: Andreas K. Hüttel <email@example.com>
AuthorDate: 2021-12-18 15:48:41 +0000
Commit: Andreas K. Hüttel <firstname.lastname@example.org>
CommitDate: 2021-12-18 15:48:53 +0000
dev-perl/CPAN-Checksums: Version bump 2.14
Package-Manager: Portage-3.0.28, Repoman-3.0.3
Signed-off-by: Andreas K. Hüttel <email@example.com>
.../CPAN-Checksums/CPAN-Checksums-2.140.0.ebuild | 41 ++++++++++++++++++++++
dev-perl/CPAN-Checksums/Manifest | 1 +
2 files changed, 42 insertions(+)