Bug 1193771 - (CVE-2020-16156) VUL-0: CVE-2020-16156: perl: CPAN 2.28 allows Signature Verification Bypass.
VUL-0: CVE-2020-16156: perl: CPAN 2.28 allows Signature Verification Bypass.
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Michael Schröder
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-12-15 16:00 UTC by Thomas Leroy
Modified: 2022-07-11 07:10 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Thomas Leroy 2021-12-15 16:06:51 UTC
SUSE:SLE-12:Update should be affected
Comment 2 Stephan Kulow 2021-12-16 06:18:49 UTC
Installing packages from cpan isn't supported anyway. So whoever does that is acting on their own risk, so I don't think releasing an update to sle12 is worth it.
Comment 3 Stephan Kulow 2021-12-16 06:37:36 UTC
but in any case, CPAN::Meta is not related to downloading from cpan, it's providing meta data for cpan authors. CPAN.pm is part of the perl package
Comment 4 Thomas Leroy 2021-12-16 10:49:05 UTC
Thank you very much Stephan for the clarifications. With perl affected, we would have more codestreams affected.

Stephan, how the fact that installing packages with cpan is not supported could affect us? Is it still possible for our customer to install packages in this way? If yes, that would be great to backport patches anyway, a signature verification bypass is quite severe...
Comment 5 Stephan Kulow 2021-12-16 10:56:28 UTC
Perl users downloaded random things from the internet for decades. So if they download crap or crap with backdoors - they hopefully have multiple lines of defense.

It's a bit like making "I used `curl XXX | sh` and got me in trouble a curl problem. our perl package offers a downloader, but we don't recommend using it.
Comment 13 Thomas Leroy 2022-07-11 07:10:59 UTC
We published a TID for this CVE. Applying the workaround as described in the TID is sufficient to be fix this vulnerability, and highly recommended to ensure only trusted mirrors are used. Closing as WONTFIX.

[0] https://www.suse.com/support/kb/doc/?id=000020691