Bug 2035341 (CVE-2020-16154) - CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
Summary: CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CH...
Keywords:
Status: NEW
Alias: CVE-2020-16154
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2035342 2037407 2037408 2038834 2038835 2038836 2038837
Blocks: 2035343
TreeView+ depends on / blocked
 
Reported: 2021-12-23 17:08 UTC by Marian Rehak
Modified: 2023-09-26 18:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the perl-App-cpanminus performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2021-12-23 17:08:46 UTC 
An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass.

External Reference:

https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
Comment 1 Marian Rehak 2021-12-23 17:09:00 UTC 
Created perl-App-cpanminus tracking bugs for this issue:

Affects: fedora-all [bug 2035342]
Comment 2 Tomas Hoger 2022-01-05 14:59:39 UTC 
Refer to bug 2035273 comment 2 for additional details about this issue.  Bug 2035273 covers these problems in perl-CPAN / CPAN.pm, and App::cpanminus is affected in a similar way and hence the description of issues applies to both modules.

The App::cpanminus module has not yet been fixed for this issue.  Fixes were only applied to Menlo / Menlo-Legacy, which is a development version of the future cpanm version 2.0.

Commit that corrects checking of the Module::Signature::_verify() return value:
https://github.com/miyagawa/cpanminus/commit/98f43b64165a54e05ce25f9de09284ccb34f4776

Commit that adds support for the cpan_path attributed in CHECKSUMS files:
https://github.com/miyagawa/cpanminus/commit/3c93db75ccbc75c813c7f12ea0301af20a265f65
Comment 3 Tomas Hoger 2022-01-05 15:12:44 UTC 
Created perl-App-cpanminus:1.7044/perl-App-cpanminus tracking bugs for this issue:

Affects: fedora-all [bug 2037408]


Created perl-Menlo-Legacy tracking bugs for this issue:

Affects: fedora-all [bug 2037407]
Comment 5 Tomas Hoger 2022-01-07 20:32:46 UTC 
Upstream fixes linked in comment 2 do not completely address all issues - they still make it possible to include crafted $cksum data before the signed content of the CHECKSUMS file and have that accepted by App::cpanminus.  This problem was reported upstream via:

https://github.com/miyagawa/cpanminus/issues/639

Upstream responded that their decision was to not fix and rather remove signature verification completely:

https://github.com/miyagawa/cpanminus/commit/1afe4a9cac56fa593e24bf5714c8992ba04b925e
Comment 7 Tomas Hoger 2022-01-10 09:41:37 UTC 
Additional details about these issues can be found in the following blog post:

http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
Comment 8 Tomas Hoger 2022-01-10 10:41:29 UTC 
The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages. The cpanm command can be configured to use the specific CPAN mirror using the --from command line option by running it as:

  cpanm --from https://www.cpan.org ...

You can also set environment variable PERL_CPANM_OPT to include this command line option to avoid having to specify the URL for every cpanm invocation:

  export PERL_CPANM_OPT="--from https://www.cpan.org"
Note You need to log in before you can comment on or make changes to this bug.