Closed skaji closed 2 years ago
Thanks!
Hi,
is this a fix for the vulnerability mentioned here: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ ?
Can you estimate when you will release this? Currently there is a request to remove cpanm from openSUSE until this is fixed, and we would like to avoid that of course.
While this PR is a bug fix for the signature verification, the correct way forward is to stop relying on the signature verification, and use the trusted source such as www.cpan.org over TLS.
There's some fallacy where cpanm is determined vulnerable because it offers a signature verification option (which is off by default) while cpm is not vulnerable because it doesn't perform a verification at all. Either way, this CVE doesn't apply to most users of cpanm who doesn't use the --verify option.
I am considering another PR to remove/deprecate the signature verification from --verify
with a documentation that you should not rely upon the signature verification.
This PR does 2 things in verify_checksums/verify_checksums_signature:
In addition, we import PAUSE2022.pub by ourselves in tests; this workaround will be safely deleted once Module::Signature itself bundles the key. See https://github.com/audreyt/module-signature/pull/31