Source: libcpan-checksums-perl Source-Version: 2.13-1 Hi Gregor,
On Fri, Mar 17, 2023 at 09:40:18PM +0100, Salvatore Bonaccorso wrote: > Hi Gregor, > > On Fri, Mar 17, 2023 at 09:15:12PM +0100, gregor herrmann wrote: > > On Fri, 17 Mar 2023 14:50:29 +0100, Moritz Mühlenhoff wrote: > > > > > CVE-2020-16155[0]: > > > | The CPAN::Checksums package 2.12 for Perl does not uniquely define > > > | signed data. > > > > > > https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ > > > http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html > > > > After reading those webpages and looking at the diffs briefly, I > > _think_ this is fixed upstream in 2.13 and in Debian with 2.13-1. > > > > What do you think Salvatore? > > My understanding so far was that the issue is not solely > CPAN::Checksums, but a combination of what we can control in > CPAN::Checksums and on the way the module was called on CPAN. > > 2.13 adds the additional required path component, so maybe you are > right and we should consider the CVE addressed on the package side > with the addition of the cpan_path key. > > For reference: > > https://github.com/andk/cpan-checksums/commit/9d2f5f26470ff7ce53ef697d09790fc4db451ab1 Discussed this today with Moritz: Let's do that and consider it fixed with the 2.13 introducing change. Much more can probably not be done. Regards, Salvatore