CVE-2020-16154 log

Source
Severity Medium
Remote Yes
Type Signature forgery
Description
A flaw was found in the way the perl-App-cpanminus 1.7044 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.

An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass. Without the sigtext and plaintext arguments to _verify(), the _compare() check is bypassed. This results in _verify() only checking that valid signed cleartext is present somewhere in the file.
Group Package Affected Fixed Severity Status Ticket
AVG-2631 cpanminus 1.7044-5 Medium Vulnerable
References
https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
https://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
Notes
Similar issue as CVE-2020-16156

Mitigation
Users should ensure that their CPAN client is configured to use a trusted TLS (https) protected mirror as signature verification can be bypassed, and signed CHECKSUMS cannot be relied upon for security.