Bug#1033109: libcpan-checksums-perl: CVE-2020-16155
Salvatore Bonaccorso
carnil at debian.org
Wed Apr 19 19:43:38 BST 2023
Source: libcpan-checksums-perl
Source-Version: 2.13-1
Hi Gregor,
On Fri, Mar 17, 2023 at 09:40:18PM +0100, Salvatore Bonaccorso wrote:
> Hi Gregor,
>
> On Fri, Mar 17, 2023 at 09:15:12PM +0100, gregor herrmann wrote:
> > On Fri, 17 Mar 2023 14:50:29 +0100, Moritz Mühlenhoff wrote:
> >
> > > CVE-2020-16155[0]:
> > > | The CPAN::Checksums package 2.12 for Perl does not uniquely define
> > > | signed data.
> > >
> > > https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
> > > http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
> >
> > After reading those webpages and looking at the diffs briefly, I
> > _think_ this is fixed upstream in 2.13 and in Debian with 2.13-1.
> >
> > What do you think Salvatore?
>
> My understanding so far was that the issue is not solely
> CPAN::Checksums, but a combination of what we can control in
> CPAN::Checksums and on the way the module was called on CPAN.
>
> 2.13 adds the additional required path component, so maybe you are
> right and we should consider the CVE addressed on the package side
> with the addition of the cpan_path key.
>
> For reference:
>
> https://github.com/andk/cpan-checksums/commit/9d2f5f26470ff7ce53ef697d09790fc4db451ab1
Discussed this today with Moritz: Let's do that and consider it fixed
with the 2.13 introducing change. Much more can probably not be done.
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list