Bug#1033109: libcpan-checksums-perl: CVE-2020-16155
Salvatore Bonaccorso
carnil at debian.org
Fri Mar 17 20:40:18 GMT 2023
Hi Gregor,
On Fri, Mar 17, 2023 at 09:15:12PM +0100, gregor herrmann wrote:
> On Fri, 17 Mar 2023 14:50:29 +0100, Moritz Mühlenhoff wrote:
>
> > CVE-2020-16155[0]:
> > | The CPAN::Checksums package 2.12 for Perl does not uniquely define
> > | signed data.
> >
> > https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
> > http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
>
> After reading those webpages and looking at the diffs briefly, I
> _think_ this is fixed upstream in 2.13 and in Debian with 2.13-1.
>
> What do you think Salvatore?
My understanding so far was that the issue is not solely
CPAN::Checksums, but a combination of what we can control in
CPAN::Checksums and on the way the module was called on CPAN.
2.13 adds the additional required path component, so maybe you are
right and we should consider the CVE addressed on the package side
with the addition of the cpan_path key.
For reference:
https://github.com/andk/cpan-checksums/commit/9d2f5f26470ff7ce53ef697d09790fc4db451ab1
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list