Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings
Niko Tyni
ntyni at debian.org
Wed Oct 23 20:20:04 BST 2019
Control: reassign -1 src:perl
Control: found -1 5.20.2-3
On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> Package: perl-modules-5.30
> Version: 5.30.0-8
> Severity: grave
> Tags: security
> Justification: user security hole
>
> I've just found that CPAN.pm does not check signatures by default:
>
> 'check_sigs' => q[0],
>
> Moreover, it downloads files using http, not https.
>
> The combination of both issues makes it very insecure, with a possible
> remote attack!
>
> And there are no warnings about that.
Thanks for your report.
FWIW this has been the case since forever.
https://www.cpan.org/SITES.html does not list any https mirrors.
I'm not at all familiar with this topic but a web search gives
https://www.perlmonks.org/?node_id=1158601
Quoting perlancar there for future reference:
PAUSE creates a CHECKSUMS file in author's directory, listing each
release file along with its last modified time, size, MD5 and SHA256
checksums. The CHECKSUMS file is then signed by PAUSE. A CPAN client
can be instructed (e.g. --verify in cpanm) to check the signature of
the CHECKSUMS file.
A couple of issues: 1) signature verification is not enabled by default
in CPAN client (at least in cpanm); 2) most (all?) CPAN mirrors are
ftp/http and not https, so during the first installation where the
client does not have PAUSE's public key yet, a MITM attack can spoof
the CHECKSUMS file as well as the release tarballs without the client
being able to detect it. These issues can be fixed in the client:
enable --verify by default and bundle the PAUSE public key.
Additionally, an author can also sign his distribution using a framework
like Module::Signature. This will create a SIGNATURE file in the
top-level directory of the distribution which contains the checksums of
the files in the distribution. The SIGNATURE is then signed using the
author's PGP key. This protects the distribution from being tampered
by the server (in this case, PAUSE).
A CPAN client can then be instructed (also --verify in cpanm) to check
this signature file. The 'cpansign' CLI tool distributed along with
Module::Signature can also be used for this purpose. The same issue
also exists: verify is not enabled by default. And another issue,
code signing by author is not mandatory and as far as I know, only a
small percentage of authors do this. And yet another issue, at least
when I tried it, tool like 'cpansign' is not strict by default: when
it fails to retrieve the required PGP public key, it stills reports
"==> Signature verified OK! <=".
So as I understand this, verifying CHECKSUMS would be the thing to do,
and setting 'check_sigs' wouldn't really help (only deployed partially
and no web of trust to the module authors).
>From a cursory look it looks to me like cpanm from src:cpanminus verifies
CHECKSUMS if Module::Signature (src:libmodule-signature-perl, bundles a
recent PAUSE public key) is installed, but CPAN.pm doesn't. But I might
be wrong.
I'm copying the security team. Would somebody be interested in digging
further into this?
Not touching the severity but given the long standing history this is
not a high priority item for me.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list