CVE-2020-16154 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Signature forgery
Description	A flaw was found in the way the perl-App-cpanminus 1.7044 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification. An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass. Without the sigtext and plaintext arguments to _verify(), the _compare() check is bypassed. This results in _verify() only checking that valid signed cleartext is present somewhere in the file.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2631	cpanminus	1.7044-5		Medium	Vulnerable

References
https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ https://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html

Notes
Similar issue as CVE-2020-16156 Mitigation Users should ensure that their CPAN client is configured to use a trusted TLS (https) protected mirror as signature verification can be bypassed, and signed CHECKSUMS cannot be relied upon for security.

Notes

Similar issue as CVE-2020-16156

Mitigation
Users should ensure that their CPAN client is configured to use a trusted TLS (https) protected mirror as signature verification can be bypassed, and signed CHECKSUMS cannot be relied upon for security.