CVE-2020-16154 - log back

CVE-2020-16154 edited at 04 Apr 2022 22:55:11
Description
A flaw was found in the way the perl-App-cpanminus 1.7044 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
+
+ An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass. Without the sigtext and plaintext arguments to _verify(), the _compare() check is bypassed. This results in _verify() only checking that valid signed cleartext is present somewhere in the file.
CVE-2020-16154 edited at 04 Apr 2022 22:51:17
Description
- The App::cpanminus package 1.7044 for Perl allows for a signature verification bypass.
+ A flaw was found in the way the perl-App-cpanminus 1.7044 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
Notes
+ Similar issue as CVE-2020-16156
+
+ Mitigation
+ Users should ensure that their CPAN client is configured to use a trusted TLS (https) protected mirror as signature verification can be bypassed, and signed CHECKSUMS cannot be relied upon for security.
CVE-2020-16154 edited at 13 Dec 2021 19:28:35
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Signature forgery
Description
+ The App::cpanminus package 1.7044 for Perl allows for a signature verification bypass.
References
+ https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
+ https://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
Notes
CVE-2020-16154 created at 13 Dec 2021 19:27:20