An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass. External Reference: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
Created perl-App-cpanminus tracking bugs for this issue: Affects: fedora-all [bug 2035342]
Refer to bug 2035273 comment 2 for additional details about this issue. Bug 2035273 covers these problems in perl-CPAN / CPAN.pm, and App::cpanminus is affected in a similar way and hence the description of issues applies to both modules. The App::cpanminus module has not yet been fixed for this issue. Fixes were only applied to Menlo / Menlo-Legacy, which is a development version of the future cpanm version 2.0. Commit that corrects checking of the Module::Signature::_verify() return value: https://github.com/miyagawa/cpanminus/commit/98f43b64165a54e05ce25f9de09284ccb34f4776 Commit that adds support for the cpan_path attributed in CHECKSUMS files: https://github.com/miyagawa/cpanminus/commit/3c93db75ccbc75c813c7f12ea0301af20a265f65
Created perl-App-cpanminus:1.7044/perl-App-cpanminus tracking bugs for this issue: Affects: fedora-all [bug 2037408] Created perl-Menlo-Legacy tracking bugs for this issue: Affects: fedora-all [bug 2037407]
Upstream fixes linked in comment 2 do not completely address all issues - they still make it possible to include crafted $cksum data before the signed content of the CHECKSUMS file and have that accepted by App::cpanminus. This problem was reported upstream via: https://github.com/miyagawa/cpanminus/issues/639 Upstream responded that their decision was to not fix and rather remove signature verification completely: https://github.com/miyagawa/cpanminus/commit/1afe4a9cac56fa593e24bf5714c8992ba04b925e
Additional details about these issues can be found in the following blog post: http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages. The cpanm command can be configured to use the specific CPAN mirror using the --from command line option by running it as: cpanm --from https://www.cpan.org ... You can also set environment variable PERL_CPANM_OPT to include this command line option to avoid having to specify the URL for every cpanm invocation: export PERL_CPANM_OPT="--from https://www.cpan.org"