Bug 2035273 (CVE-2020-16156) - CVE-2020-16156 perl-CPAN: Bypass of verification of signatures in CHECKSUMS files
Summary: CVE-2020-16156 perl-CPAN: Bypass of verification of signatures in CHECKSUMS f...
Status: NEW
Alias: CVE-2020-16156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 2035274 2037211 2038304 2038305 2038306 2038307
Blocks: 2035276
TreeView+ depends on / blocked
Reported: 2021-12-23 12:51 UTC by Marian Rehak
Modified: 2023-09-26 18:40 UTC (History)
9 users (show)

Fixed In Version: perl-CPAN 2.29
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the perl-CPAN performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Marian Rehak 2021-12-23 12:51:33 UTC
It was found that cpan and cpanm are vulnerable to a signature verification bypass. Additionally, CPAN::Checksums (used by PAUSE) does not uniquely identify packages in the signed CHECKSUMS file, enabling a supply chain attack.



Comment 1 Marian Rehak 2021-12-23 12:51:47 UTC
Created perl-CPAN tracking bugs for this issue:

Affects: fedora-all [bug 2035274]

Comment 2 Tomas Hoger 2022-01-05 09:13:20 UTC
The report covers two separate methods to bypass verification of signatures stored in CHECKSUMS files:

1) The first problem is an implementation error found in both perl-CPAN / CPAN.pm and perl-App-cpanminus modules.  Those modules did not correctly handle return value of Module::Signature::_verify() and handled CANNOT_VERIFY error return value as equivalent to SIGNATURE_OK return value, i.e. assuming that signature was correctly verified while verification failed or could not have been performed.  In perl-CPAN, this problem was fixed in the following commit applied in version 2.29:


2) The second problem is related to the design of the CHECKSUMS file format. The file only contained file names inside of the CPAN author's directory, without indicating in any way which author the CHECKSUMS file is for.  As all CHECKSUMS files get signed by the same PAUSE ([Perl programming] Authors Upload Server) key, a CHECKSUMS file generated for one author could be used in a directory for a different author without clients being able to detect that.  This problem was fixed by extending CHECKSUMS file format to introduce an additional attribute cpan_path that indicates which author directory the CHECKSUMS file is for.  perl-CPAN was enhanced to check this attribute via this commit also applied in version 2.29:


Related CVE-2020-16155 was assigned for the CPAN::Checksums module that is used to generate CHECKSUMS files.  The CVE covers the lack of information to indicate specific CPAN author directory in CHECKSUMS files.

Both of these issues could be exploited by malicious or compromised mirrors if used by users, or a man-in-the-middle attacker in case plain text HTTP connection was used to download packages instead of using encrypted HTTPS.  The exploitation of the second vulnerability additionally requires attacker to have a valid CPAN author account to be able to get malicious CHECKSUMS file to be generated and signed by CPAN / PAUSE.  Therefore, a recommended mitigation is to only configure CPAN clients to download packages from trusted CPAN mirrors (www.cpan.org and cpan.metacpan.org) and always use HTTPS.

Note that both CPAN.pm and cpanminus defaulted to not checking signatures in the CHECKSUMS file unless explicitly configured to do so.  Therefore, this issue was not relevant to users using the default configuration that did not enable signature verification.

Additional details about these issues can be found in the following blog post:


Comment 4 Tomas Hoger 2022-01-05 15:06:19 UTC
Note that the Module::Signature module that is used by both perl-CPAN and perl-App-cpanminus to perform verification of signatures from the CHECKSUMS files is not shipped with Red Hat Enterprise Linux 8.  It is shipped with Red Hat Enterprise Linux 7, but is not installed as a dependency when installing perl-CPAN, it is only required by perl-App-cpanminus.

When Module::Signature is not installed, both cpan and cpanm skip signature verification and continue with package installation without verification even when configured to performed verification (using check_sigs configuration option for cpan, or --verify command line option for cpanm).

Comment 5 Tomas Hoger 2022-01-05 20:12:37 UTC
There is another fix needed to properly fix the first attack vector in addition to the commit already linked in comment 2 above:


These commits are also included in 2.29.

Comment 9 Tomas Hoger 2022-01-10 09:57:25 UTC
The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages.  If you already have a cpan configured, the list of configured mirrors can be viewed by running the `cpan` command without any argument and entering the following command on the cpan command's prompt:

  o conf urllist

Ensure that the URL list only includes trusted mirrors and that https:// scheme is used for all URLs.  A different set of mirrors can be configured using the following commands (these examples show how to configure one or more mirrors, only one of the commands should be used):

  o conf urllist https://www.cpan.org
  o conf urllist https://www.cpan.org https://cpan.metacpan.org

After changing configuration, the following command must be used to save the configuration:

  o conf commit

Comment 10 Tomas Hoger 2022-01-12 21:27:05 UTC
Two additional small corrective fixes amending fixes linked from comment 5 above:


These are not included in version 2.29.

Note You need to log in before you can comment on or make changes to this bug.