https://bugzilla.redhat.com/show_bug.cgi?id=2035273 Tomas Hoger <thoger@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2020-16156 perl-CPAN: |CVE-2020-16156 perl-CPAN: |signature verification |Bypass of verification of |bypass |signatures in CHECKSUMS | |file --- Comment #2 from Tomas Hoger <thoger@xxxxxxxxxx> --- The report covers two separate methods to bypass verification of signatures stored in CHECKSUMS files: 1) The first problem is an implementation error found in both perl-CPAN / CPAN.pm and perl-App-cpanminus modules. Those modules did not correctly handle return value of Module::Signature::_verify() and handled CANNOT_VERIFY error return value as equivalent to SIGNATURE_OK return value, i.e. assuming that signature was correctly verified while verification failed or could not have been performed. In perl-CPAN, this problem was fixed in the following commit applied in version 2.29: https://github.com/andk/cpanpm/commit/b27c51adf0fda25dee84cb72cb2b1bf7d832148c 2) The second problem is related to the design of the CHECKSUMS file format. The file only contained file names inside of the CPAN author's directory, without indicating in any way which author the CHECKSUMS file is for. As all CHECKSUMS files get signed by the same PAUSE ([Perl programming] Authors Upload Server) key, a CHECKSUMS file generated for one author could be used in a directory for a different author without clients being able to detect that. This problem was fixed by extending CHECKSUMS file format to introduce an additional attribute cpan_path that indicates which author directory the CHECKSUMS file is for. perl-CPAN was enhanced to check this attribute via this commit also applied in version 2.29: https://github.com/andk/cpanpm/commit/bcbf6d608e48d25306ecfd273118b4d6ba1c5df6 Related CVE-2020-16155 was assigned for the CPAN::Checksums module that is used to generate CHECKSUMS files. The CVE covers the lack of information to indicate specific CPAN author directory in CHECKSUMS files. Both of these issues could be exploited by malicious or compromised mirrors if used by users, or a man-in-the-middle attacker in case plain text HTTP connection was used to download packages instead of using encrypted HTTPS. The exploitation of the second vulnerability additionally requires attacker to have a valid CPAN author account to be able to get malicious CHECKSUMS file to be generated and signed by CPAN / PAUSE. Therefore, a recommended mitigation is to only configure CPAN clients to download packages from trusted CPAN mirrors (www.cpan.org and cpan.metacpan.org) and always use HTTPS. Note that both CPAN.pm and cpanminus defaulted to not checking signatures in the CHECKSUMS file unless explicitly configured to do so. Therefore, this issue was not relevant to users using the default configuration that did not enable signature verification. Additional details about these issues can be found in the following blog post: http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035273 _______________________________________________ perl-devel mailing list -- perl-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to perl-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
