11:08 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Bug ID: 2035341
Summary: CVE-2020-16154 perl-App-cpanminus: signature
verification bypass
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: hhorak(a)redhat.com, jorton(a)redhat.com,
jplesnik(a)redhat.com, mmaslano(a)redhat.com,
mspacek(a)redhat.com,
perl-devel(a)lists.fedoraproject.org,
perl-maint-list(a)redhat.com
Target Milestone: ---
Classification: Other
An attacker can prepend checksums for modified packages to the beginning of
CHECKSUMS files, before the cleartext PGP headers. This makes the
Module::Signature::_verify() checks in both cpan and cpanm pass.
External Reference:
https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
11:08 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: signature
verification bypass
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Marian Rehak <mrehak(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |2035342
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2035342
[Bug 2035342] CVE-2020-16154 perl-App-cpanminus: signature verification bypass
[fedora-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
11:09 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: signature
verification bypass
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Marian Rehak <mrehak(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2035343
--- Comment #1 from Marian Rehak <mrehak(a)redhat.com> ---
Created perl-App-cpanminus tracking bugs for this issue:
Affects: fedora-all [bug 2035342]
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
8:59 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|CVE-2020-16154 |CVE-2020-16154
|perl-App-cpanminus: |perl-App-cpanminus: Bypass
|signature verification |of verification of
|bypass |signatures in CHECKSUMS
| |files
--- Comment #2 from Tomas Hoger <thoger(a)redhat.com> ---
Refer to bug 2035273 comment 2 for additional details about this issue. Bug
2035273 covers these problems in perl-CPAN / CPAN.pm, and App::cpanminus is
affected in a similar way and hence the description of issues applies to both
modules.
The App::cpanminus module has not yet been fixed for this issue. Fixes were
only applied to Menlo / Menlo-Legacy, which is a development version of the
future cpanm version 2.0.
Commit that corrects checking of the Module::Signature::_verify() return value:
https://github.com/miyagawa/cpanminus/commit/98f43b64165a54e05ce25f9de092...
Commit that adds support for the cpan_path attributed in CHECKSUMS files:
https://github.com/miyagawa/cpanminus/commit/3c93db75ccbc75c813c7f12ea030...
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
9:12 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |2037408, 2037407
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2037407
[Bug 2037407] CVE-2020-16154 perl-Menlo-Legacy: perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2037408
[Bug 2037408] CVE-2020-16154 perl-App-cpanminus:1.7044/perl-App-cpanminus:
Bypass of verification of signatures in CHECKSUMS files [fedora-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
9:12 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
--- Comment #3 from Tomas Hoger <thoger(a)redhat.com> ---
Created perl-App-cpanminus:1.7044/perl-App-cpanminus tracking bugs for this
issue:
Affects: fedora-all [bug 2037408]
Created perl-Menlo-Legacy tracking bugs for this issue:
Affects: fedora-all [bug 2037407]
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
2:32 p.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
--- Comment #5 from Tomas Hoger <thoger(a)redhat.com> ---
Upstream fixes linked in comment 2 do not completely address all issues - they
still make it possible to include crafted $cksum data before the signed content
of the CHECKSUMS file and have that accepted by App::cpanminus. This problem
was reported upstream via:
https://github.com/miyagawa/cpanminus/issues/639
Upstream responded that their decision was to not fix and rather remove
signature verification completely:
https://github.com/miyagawa/cpanminus/commit/1afe4a9cac56fa593e24bf5714c8...
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
3:36 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |2038837, 2038835, 2038836,
| |2038834
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
3:41 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
--- Comment #7 from Tomas Hoger <thoger(a)redhat.com> ---
Additional details about these issues can be found in the following blog post:
http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities...
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
4:41 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
--- Doc Text *updated* by Tomas Hoger <thoger(a)redhat.com> ---
A flaw was found in the way the perl-App-cpanminus performed verification of package
signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by the
user, or a man-in-the-middle attacker, could use this flaw to bypass signature
verification.
--- Comment #8 from Tomas Hoger <thoger(a)redhat.com> ---
The mitigation recommended by upstream is to ensure that users are only using
trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS
when downloading packages. The cpanm command can be configured to use the
specific CPAN mirror using the --from command line option by running it as:
cpanm --from https://www.cpan.org ...
You can also set environment variable PERL_CPANM_OPT to include this command
line option to avoid having to specify the URL for every cpanm invocation:
export PERL_CPANM_OPT="--from https://www.cpan.org"
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
9:26 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
--- Doc Text *updated* by Eric Christensen <sparks(a)redhat.com> ---
A flaw was found in the way the perl-App-cpanminus performed verification of package
signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a
user, or a man-in-the-middle attacker, could use this flaw to bypass signature
verification.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
10:15 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Bug 2035341 depends on bug 2037407, which changed state.
Bug 2037407 Summary: CVE-2020-16154 perl-Menlo-Legacy: perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2037407
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |EOL
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
7:32 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Bug 2035341 depends on bug 2035342, which changed state.
Bug 2035342 Summary: CVE-2020-16154 perl-App-cpanminus: Bypass of verification of
signatures in CHECKSUMS files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2035342
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |WONTFIX
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
7:33 a.m.
New subject: [Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Bug 2035341 depends on bug 2037408, which changed state.
Bug 2037408 Summary: CVE-2020-16154 perl-App-cpanminus:1.7044/perl-App-cpanminus: Bypass
of verification of signatures in CHECKSUMS files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2037408
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |WONTFIX
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
365
days inactive
854
days old
perl-devel@lists.fedoraproject.org
13 comments
1 participants
participants (1)
-
bugzilla@redhat.com