[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2023-04-26 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Bug 2035341 depends on bug 2037408, which changed state.

Bug 2037408 Summary: CVE-2020-16154 
perl-App-cpanminus:1.7044/perl-App-cpanminus: Bypass of verification of 
signatures in CHECKSUMS files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2037408

   What|Removed |Added

 Status|NEW |CLOSED
 Resolution|--- |WONTFIX




-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2023-04-26 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Bug 2035341 depends on bug 2035342, which changed state.

Bug 2035342 Summary: CVE-2020-16154 perl-App-cpanminus: Bypass of verification 
of signatures in CHECKSUMS files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2035342

   What|Removed |Added

 Status|NEW |CLOSED
 Resolution|--- |WONTFIX




-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2022-12-13 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
Bug 2035341 depends on bug 2037407, which changed state.

Bug 2037407 Summary: CVE-2020-16154 perl-Menlo-Legacy: perl-App-cpanminus: 
Bypass of verification of signatures in CHECKSUMS files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2037407

   What|Removed |Added

 Status|NEW |CLOSED
 Resolution|--- |EOL




-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2022-01-10 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341


--- Doc Text *updated* by Eric Christensen  ---
A flaw was found in the way the perl-App-cpanminus performed verification of 
package signatures stored in CHECKSUMS files. A malicious or compromised CPAN 
server used by a user, or a man-in-the-middle attacker, could use this flaw to 
bypass signature verification.



-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2022-01-10 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341


--- Doc Text *updated* by Tomas Hoger  ---
A flaw was found in the way the perl-App-cpanminus performed verification of 
package signatures stored in CHECKSUMS files. A malicious or compromised CPAN 
server used by the user, or a man-in-the-middle attacker, could use this flaw 
to bypass signature verification.


--- Comment #8 from Tomas Hoger  ---
The mitigation recommended by upstream is to ensure that users are only using
trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS
when downloading packages. The cpanm command can be configured to use the
specific CPAN mirror using the --from command line option by running it as:

  cpanm --from https://www.cpan.org ...

You can also set environment variable PERL_CPANM_OPT to include this command
line option to avoid having to specify the URL for every cpanm invocation:

  export PERL_CPANM_OPT="--from https://www.cpan.org;


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2022-01-10 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341



--- Comment #7 from Tomas Hoger  ---
Additional details about these issues can be found in the following blog post:

http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2022-01-10 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341

Tomas Hoger  changed:

   What|Removed |Added

 Depends On||2038837, 2038835, 2038836,
   ||2038834




-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2022-01-07 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341



--- Comment #5 from Tomas Hoger  ---
Upstream fixes linked in comment 2 do not completely address all issues - they
still make it possible to include crafted $cksum data before the signed content
of the CHECKSUMS file and have that accepted by App::cpanminus.  This problem
was reported upstream via:

https://github.com/miyagawa/cpanminus/issues/639

Upstream responded that their decision was to not fix and rather remove
signature verification completely:

https://github.com/miyagawa/cpanminus/commit/1afe4a9cac56fa593e24bf5714c8992ba04b925e


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2022-01-05 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341

Tomas Hoger  changed:

   What|Removed |Added

 Depends On||2037408, 2037407





Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=2037407
[Bug 2037407] CVE-2020-16154 perl-Menlo-Legacy: perl-App-cpanminus: Bypass of
verification of signatures in CHECKSUMS files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2037408
[Bug 2037408] CVE-2020-16154 perl-App-cpanminus:1.7044/perl-App-cpanminus:
Bypass of verification of signatures in CHECKSUMS files [fedora-all]
-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2022-01-05 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341



--- Comment #3 from Tomas Hoger  ---
Created perl-App-cpanminus:1.7044/perl-App-cpanminus tracking bugs for this
issue:

Affects: fedora-all [bug 2037408]


Created perl-Menlo-Legacy tracking bugs for this issue:

Affects: fedora-all [bug 2037407]


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Bug 2035341] CVE-2020-16154 perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files

2022-01-05 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2035341

Tomas Hoger  changed:

   What|Removed |Added

Summary|CVE-2020-16154  |CVE-2020-16154
   |perl-App-cpanminus: |perl-App-cpanminus: Bypass
   |signature verification  |of verification of
   |bypass  |signatures in CHECKSUMS
   ||files



--- Comment #2 from Tomas Hoger  ---
Refer to bug 2035273 comment 2 for additional details about this issue.  Bug
2035273 covers these problems in perl-CPAN / CPAN.pm, and App::cpanminus is
affected in a similar way and hence the description of issues applies to both
modules.

The App::cpanminus module has not yet been fixed for this issue.  Fixes were
only applied to Menlo / Menlo-Legacy, which is a development version of the
future cpanm version 2.0.

Commit that corrects checking of the Module::Signature::_verify() return value:
https://github.com/miyagawa/cpanminus/commit/98f43b64165a54e05ce25f9de09284ccb34f4776

Commit that adds support for the cpan_path attributed in CHECKSUMS files:
https://github.com/miyagawa/cpanminus/commit/3c93db75ccbc75c813c7f12ea0301af20a265f65


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure