Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings

Niko Tyni ntyni at debian.org
Wed Oct 23 20:20:04 BST 2019 

Control: reassign -1 src:perl
Control: found -1 5.20.2-3

On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> Package: perl-modules-5.30
> Version: 5.30.0-8
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> I've just found that CPAN.pm does not check signatures by default:
> 
>   'check_sigs' => q[0],
> 
> Moreover, it downloads files using http, not https.
> 
> The combination of both issues makes it very insecure, with a possible
> remote attack!
> 
> And there are no warnings about that.

Thanks for your report.

FWIW this has been the case since forever.

https://www.cpan.org/SITES.html does not list any https mirrors.

I'm not at all familiar with this topic but a web search gives
 https://www.perlmonks.org/?node_id=1158601

Quoting perlancar there for future reference:

  PAUSE creates a CHECKSUMS file in author's directory, listing each
  release file along with its last modified time, size, MD5 and SHA256
  checksums. The CHECKSUMS file is then signed by PAUSE. A CPAN client
  can be instructed (e.g. --verify in cpanm) to check the signature of
  the CHECKSUMS file.

  A couple of issues: 1) signature verification is not enabled by default
  in CPAN client (at least in cpanm); 2) most (all?) CPAN mirrors are
  ftp/http and not https, so during the first installation where the
  client does not have PAUSE's public key yet, a MITM attack can spoof
  the CHECKSUMS file as well as the release tarballs without the client
  being able to detect it. These issues can be fixed in the client:
  enable --verify by default and bundle the PAUSE public key.

  Additionally, an author can also sign his distribution using a framework
  like Module::Signature. This will create a SIGNATURE file in the
  top-level directory of the distribution which contains the checksums of
  the files in the distribution. The SIGNATURE is then signed using the
  author's PGP key. This protects the distribution from being tampered
  by the server (in this case, PAUSE).

  A CPAN client can then be instructed (also --verify in cpanm) to check
  this signature file. The 'cpansign' CLI tool distributed along with
  Module::Signature can also be used for this purpose. The same issue
  also exists: verify is not enabled by default. And another issue,
  code signing by author is not mandatory and as far as I know, only a
  small percentage of authors do this. And yet another issue, at least
  when I tried it, tool like 'cpansign' is not strict by default: when
  it fails to retrieve the required PGP public key, it stills reports
  "==> Signature verified OK! <=".

So as I understand this, verifying CHECKSUMS would be the thing to do,
and setting 'check_sigs' wouldn't really help (only deployed partially
and no web of trust to the module authors).

>From a cursory look it looks to me like cpanm from src:cpanminus verifies
CHECKSUMS if Module::Signature (src:libmodule-signature-perl, bundles a
recent PAUSE public key) is installed, but CPAN.pm doesn't. But I might
be wrong.

I'm copying the security team. Would somebody be interested in digging
further into this?

Not touching the severity but given the long standing history this is
not a high priority item for me.
-- 
Niko Tyni   ntyni at debian.org

More information about the Perl-maintainers mailing list