---

CVE-2020-16156 - log back

CVE-2020-16156 edited at 04 Apr 2022 22:54:01

Description

A flaw was found in the way the perl-CPAN 2.28 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification. + An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass. Without the sigtext and plaintext arguments to _verify(), the _compare() check is bypassed. This results in _verify() only checking that valid signed cleartext is present somewhere in the file.

CVE-2020-16156 edited at 04 Apr 2022 22:53:36

Description

A flaw was found in the way the perl-CPAN 2.28 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification. + An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass. Without the sigtext and plaintext arguments to _verify(), the _compare() check is bypassed. This results in _verify() only checking that valid signed cleartext is present somewhere in the file.

CVE-2020-16156 edited at 04 Apr 2022 22:50:00
Notes	+ Similar issue as CVE-2020-16154 + Mitigation Users should ensure that their CPAN client is configured to use a trusted TLS (https) protected mirror as signature verification can be bypassed, and signed CHECKSUMS cannot be relied upon for security.

CVE-2020-16156 edited at 04 Apr 2022 22:47:47
Description	- CPAN 2.28 allows for a signature verification bypass. + A flaw was found in the way the perl-CPAN 2.28 performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
Notes	+ Mitigation + Users should ensure that their CPAN client is configured to use a trusted TLS (https) protected mirror as signature verification can be bypassed, and signed CHECKSUMS cannot be relied upon for security.

CVE-2020-16156 edited at 13 Dec 2021 19:28:49
Description	- CPAN 2.28 allows signature verification bypass. + CPAN 2.28 allows for a signature verification bypass.

CVE-2020-16156 edited at 13 Dec 2021 19:26:20
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Signature forgery
Description	+ CPAN 2.28 allows signature verification bypass.
References	+ https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ + https://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
Notes

CVE-2020-16156 created at 13 Dec 2021 19:23:21