An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass.
Created perl-App-cpanminus tracking bugs for this issue:
Affects: fedora-all [bug 2035342]
Refer to bug 2035273 comment 2 for additional details about this issue. Bug 2035273 covers these problems in perl-CPAN / CPAN.pm, and App::cpanminus is affected in a similar way and hence the description of issues applies to both modules.
The App::cpanminus module has not yet been fixed for this issue. Fixes were only applied to Menlo / Menlo-Legacy, which is a development version of the future cpanm version 2.0.
Commit that corrects checking of the Module::Signature::_verify() return value:
Commit that adds support for the cpan_path attributed in CHECKSUMS files:
Created perl-App-cpanminus:1.7044/perl-App-cpanminus tracking bugs for this issue:
Affects: fedora-all [bug 2037408]
Created perl-Menlo-Legacy tracking bugs for this issue:
Affects: fedora-all [bug 2037407]
Upstream fixes linked in comment 2 do not completely address all issues - they still make it possible to include crafted $cksum data before the signed content of the CHECKSUMS file and have that accepted by App::cpanminus. This problem was reported upstream via:
Upstream responded that their decision was to not fix and rather remove signature verification completely:
Additional details about these issues can be found in the following blog post:
The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages. The cpanm command can be configured to use the specific CPAN mirror using the --from command line option by running it as:
cpanm --from https://www.cpan.org ...
You can also set environment variable PERL_CPANM_OPT to include this command line option to avoid having to specify the URL for every cpanm invocation:
export PERL_CPANM_OPT="--from https://www.cpan.org"