CVE-2020-16156 log

Severity Medium
Remote Yes
Type Signature forgery
A flaw was found in the way the perl-CPAN 2.28 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.

An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass. Without the sigtext and plaintext arguments to _verify(), the _compare() check is bypassed. This results in _verify() only checking that valid signed cleartext is present somewhere in the file.
Group Package Affected Fixed Severity Status Ticket
AVG-2630 perl 5.34.0-3 Medium Vulnerable
Similar issue as CVE-2020-16154

Users should ensure that their CPAN client is configured to use a trusted TLS (https) protected mirror as signature verification can be bypassed, and signed CHECKSUMS cannot be relied upon for security.