It was found that cpan and cpanm are vulnerable to a signature verification bypass. Additionally, CPAN::Checksums (used by PAUSE) does not uniquely identify packages in the signed CHECKSUMS file, enabling a supply chain attack.
Created perl-CPAN tracking bugs for this issue:
Affects: fedora-all [bug 2035274]
The report covers two separate methods to bypass verification of signatures stored in CHECKSUMS files:
1) The first problem is an implementation error found in both perl-CPAN / CPAN.pm and perl-App-cpanminus modules. Those modules did not correctly handle return value of Module::Signature::_verify() and handled CANNOT_VERIFY error return value as equivalent to SIGNATURE_OK return value, i.e. assuming that signature was correctly verified while verification failed or could not have been performed. In perl-CPAN, this problem was fixed in the following commit applied in version 2.29:
2) The second problem is related to the design of the CHECKSUMS file format. The file only contained file names inside of the CPAN author's directory, without indicating in any way which author the CHECKSUMS file is for. As all CHECKSUMS files get signed by the same PAUSE ([Perl programming] Authors Upload Server) key, a CHECKSUMS file generated for one author could be used in a directory for a different author without clients being able to detect that. This problem was fixed by extending CHECKSUMS file format to introduce an additional attribute cpan_path that indicates which author directory the CHECKSUMS file is for. perl-CPAN was enhanced to check this attribute via this commit also applied in version 2.29:
Related CVE-2020-16155 was assigned for the CPAN::Checksums module that is used to generate CHECKSUMS files. The CVE covers the lack of information to indicate specific CPAN author directory in CHECKSUMS files.
Both of these issues could be exploited by malicious or compromised mirrors if used by users, or a man-in-the-middle attacker in case plain text HTTP connection was used to download packages instead of using encrypted HTTPS. The exploitation of the second vulnerability additionally requires attacker to have a valid CPAN author account to be able to get malicious CHECKSUMS file to be generated and signed by CPAN / PAUSE. Therefore, a recommended mitigation is to only configure CPAN clients to download packages from trusted CPAN mirrors (www.cpan.org and cpan.metacpan.org) and always use HTTPS.
Note that both CPAN.pm and cpanminus defaulted to not checking signatures in the CHECKSUMS file unless explicitly configured to do so. Therefore, this issue was not relevant to users using the default configuration that did not enable signature verification.
Additional details about these issues can be found in the following blog post:
Note that the Module::Signature module that is used by both perl-CPAN and perl-App-cpanminus to perform verification of signatures from the CHECKSUMS files is not shipped with Red Hat Enterprise Linux 8. It is shipped with Red Hat Enterprise Linux 7, but is not installed as a dependency when installing perl-CPAN, it is only required by perl-App-cpanminus.
When Module::Signature is not installed, both cpan and cpanm skip signature verification and continue with package installation without verification even when configured to performed verification (using check_sigs configuration option for cpan, or --verify command line option for cpanm).
There is another fix needed to properly fix the first attack vector in addition to the commit already linked in comment 2 above:
These commits are also included in 2.29.
The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages. If you already have a cpan configured, the list of configured mirrors can be viewed by running the `cpan` command without any argument and entering the following command on the cpan command's prompt:
o conf urllist
Ensure that the URL list only includes trusted mirrors and that https:// scheme is used for all URLs. A different set of mirrors can be configured using the following commands (these examples show how to configure one or more mirrors, only one of the commands should be used):
o conf urllist https://www.cpan.org
o conf urllist https://www.cpan.org https://cpan.metacpan.org
After changing configuration, the following command must be used to save the configuration:
o conf commit
Two additional small corrective fixes amending fixes linked from comment 5 above:
These are not included in version 2.29.