Bug 1193771 (CVE-2020-16156)

Summary: VUL-0: CVE-2020-16156: perl: CPAN 2.28 allows Signature Verification Bypass.
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Michael Schröder <mls>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: coolo, joao.silva, mls, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/317300/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-16156:8.1:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Thomas Leroy 2021-12-15 16:06:51 UTC
SUSE:SLE-12:Update should be affected
Comment 2 Stephan Kulow 2021-12-16 06:18:49 UTC
Installing packages from cpan isn't supported anyway. So whoever does that is acting on their own risk, so I don't think releasing an update to sle12 is worth it.
Comment 3 Stephan Kulow 2021-12-16 06:37:36 UTC
but in any case, CPAN::Meta is not related to downloading from cpan, it's providing meta data for cpan authors. CPAN.pm is part of the perl package
Comment 4 Thomas Leroy 2021-12-16 10:49:05 UTC
Thank you very much Stephan for the clarifications. With perl affected, we would have more codestreams affected.

Stephan, how the fact that installing packages with cpan is not supported could affect us? Is it still possible for our customer to install packages in this way? If yes, that would be great to backport patches anyway, a signature verification bypass is quite severe...
Comment 5 Stephan Kulow 2021-12-16 10:56:28 UTC
Perl users downloaded random things from the internet for decades. So if they download crap or crap with backdoors - they hopefully have multiple lines of defense.

It's a bit like making "I used `curl XXX | sh` and got me in trouble a curl problem. our perl package offers a downloader, but we don't recommend using it.
Comment 13 Thomas Leroy 2022-07-11 07:10:59 UTC
We published a TID for this CVE. Applying the workaround as described in the TID is sufficient to be fix this vulnerability, and highly recommended to ensure only trusted mirrors are used. Closing as WONTFIX.

[0] https://www.suse.com/support/kb/doc/?id=000020691