Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2020-16156: perl: CPAN 2.28 allows Signature Verification Bypass.|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Thomas Leroy <thomas.leroy>|
|Component:||Incidents||Assignee:||Michael Schröder <mls>|
|Status:||RESOLVED WONTFIX||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||coolo, joao.silva, mls, smash_bz|
|Found By:||Security Response Team||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Thomas Leroy 2021-12-15 16:00:28 UTC
CVE-2020-16156 CPAN 2.28 allows Signature Verification Bypass. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16156 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16156 https://metacpan.org/pod/distribution/CPAN/scripts/cpan https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
Comment 1 Thomas Leroy 2021-12-15 16:06:51 UTC
SUSE:SLE-12:Update should be affected
Comment 2 Stephan Kulow 2021-12-16 06:18:49 UTC
Installing packages from cpan isn't supported anyway. So whoever does that is acting on their own risk, so I don't think releasing an update to sle12 is worth it.
Comment 3 Stephan Kulow 2021-12-16 06:37:36 UTC
but in any case, CPAN::Meta is not related to downloading from cpan, it's providing meta data for cpan authors. CPAN.pm is part of the perl package
Comment 4 Thomas Leroy 2021-12-16 10:49:05 UTC
Thank you very much Stephan for the clarifications. With perl affected, we would have more codestreams affected. Stephan, how the fact that installing packages with cpan is not supported could affect us? Is it still possible for our customer to install packages in this way? If yes, that would be great to backport patches anyway, a signature verification bypass is quite severe...
Comment 5 Stephan Kulow 2021-12-16 10:56:28 UTC
Perl users downloaded random things from the internet for decades. So if they download crap or crap with backdoors - they hopefully have multiple lines of defense. It's a bit like making "I used `curl XXX | sh` and got me in trouble a curl problem. our perl package offers a downloader, but we don't recommend using it.
Comment 13 Thomas Leroy 2022-07-11 07:10:59 UTC
We published a TID for this CVE. Applying the workaround as described in the TID is sufficient to be fix this vulnerability, and highly recommended to ensure only trusted mirrors are used. Closing as WONTFIX.  https://www.suse.com/support/kb/doc/?id=000020691