Bug 2035341 (CVE-2020-16154) - CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files
Summary: CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CH...
Status: NEW
Alias: CVE-2020-16154
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2035342 2037408 2038837 2037407 2038834 2038835 2038836
Blocks: 2035343
TreeView+ depends on / blocked
Reported: 2021-12-23 17:08 UTC by Marian Rehak
Modified: 2022-01-12 21:32 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the perl-App-cpanminus performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Marian Rehak 2021-12-23 17:08:46 UTC
An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass.

External Reference:


Comment 1 Marian Rehak 2021-12-23 17:09:00 UTC
Created perl-App-cpanminus tracking bugs for this issue:

Affects: fedora-all [bug 2035342]

Comment 2 Tomas Hoger 2022-01-05 14:59:39 UTC
Refer to bug 2035273 comment 2 for additional details about this issue.  Bug 2035273 covers these problems in perl-CPAN / CPAN.pm, and App::cpanminus is affected in a similar way and hence the description of issues applies to both modules.

The App::cpanminus module has not yet been fixed for this issue.  Fixes were only applied to Menlo / Menlo-Legacy, which is a development version of the future cpanm version 2.0.

Commit that corrects checking of the Module::Signature::_verify() return value:

Commit that adds support for the cpan_path attributed in CHECKSUMS files:

Comment 3 Tomas Hoger 2022-01-05 15:12:44 UTC
Created perl-App-cpanminus:1.7044/perl-App-cpanminus tracking bugs for this issue:

Affects: fedora-all [bug 2037408]

Created perl-Menlo-Legacy tracking bugs for this issue:

Affects: fedora-all [bug 2037407]

Comment 5 Tomas Hoger 2022-01-07 20:32:46 UTC
Upstream fixes linked in comment 2 do not completely address all issues - they still make it possible to include crafted $cksum data before the signed content of the CHECKSUMS file and have that accepted by App::cpanminus.  This problem was reported upstream via:


Upstream responded that their decision was to not fix and rather remove signature verification completely:


Comment 7 Tomas Hoger 2022-01-10 09:41:37 UTC
Additional details about these issues can be found in the following blog post:


Comment 8 Tomas Hoger 2022-01-10 10:41:29 UTC
The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages. The cpanm command can be configured to use the specific CPAN mirror using the --from command line option by running it as:

  cpanm --from https://www.cpan.org ...

You can also set environment variable PERL_CPANM_OPT to include this command line option to avoid having to specify the URL for every cpanm invocation:

  export PERL_CPANM_OPT="--from https://www.cpan.org"

Note You need to log in before you can comment on or make changes to this bug.