Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829118 (CVE-2020-16155) - <dev-perl/CPAN-Checksums-2.140.0: lacks definition of signed data (CVE-2020-16155)
Summary: <dev-perl/CPAN-Checksums-2.140.0: lacks definition of signed data (CVE-2020-1...
Alias: CVE-2020-16155
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: C4 [noglsa cleanup]
Depends on: 833662
  Show dependency tree
Reported: 2021-12-13 20:02 UTC by John Helmert III
Modified: 2022-02-19 15:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-13 20:02:55 UTC

The CPAN::Checksums package 2.12 for Perl does not uniquely define signed data.

Not really sure about the impact of this, but also can't find a fixed version.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2021-12-18 15:45:05 UTC
This is mostly an issue that affects CPAN (the archive) itself, not so much one that affects user-run software.

I assume it's been fixed by the combination of
1) release 2.13 (introducing an additional path parameter) and
2) the way this is called on CPAN (something we can't verify without running the exploit).

So, not much to do here. I'll bump the module now, but unless you're running a clone of CPAN (not a mirror, but the root database), this shouldnt matter to you.
Comment 2 Larry the Git Cow gentoo-dev 2021-12-18 15:49:04 UTC
The bug has been referenced in the following commit(s):

commit 958aac2f4e591b7f67b712b3f1dee6469554610c
Author:     Andreas K. Hüttel <>
AuthorDate: 2021-12-18 15:48:41 +0000
Commit:     Andreas K. Hüttel <>
CommitDate: 2021-12-18 15:48:53 +0000

    dev-perl/CPAN-Checksums: Version bump 2.14
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <>

 .../CPAN-Checksums/CPAN-Checksums-2.140.0.ebuild   | 41 ++++++++++++++++++++++
 dev-perl/CPAN-Checksums/Manifest                   |  1 +
 2 files changed, 42 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-19 15:06:58 UTC
Please cleanup