miyagawa
commented
2 years ago backporting to the latest stable 1.7 here: https://github.com/miyagawa/cpanminus/commit/1afe4a9cac56fa593e24bf5714c8992ba04b925e
Closed miyagawa closed 2 years ago
miyagawa
commented
2 years ago backporting to the latest stable 1.7 here: https://github.com/miyagawa/cpanminus/commit/1afe4a9cac56fa593e24bf5714c8992ba04b925e
perlpunk
commented
2 years ago hi @miyagawa , I'm just checking if there are any plans to release this on CPAN. We at SUSE might try to backport this change to the tarball, but maybe we wouldn't need to if you plan a release in the near future :)
miyagawa
commented
2 years ago @perlpunk this patch has been backported and released as 1.7045 to CPAN.
perlpunk
commented
2 years ago thank you!
This PR removes the functionality to verify the signature of CHECKSUMS files, since it's been known that there're certain ways to bypass the check.
While @skaji et al have fixed a particular issue leading to the CVE, in my opinion the use of self-contained PGP signature to verify the integrity has its design issues, and it's simpler to rely on HTTPS and download the archives from the official CPAN/PAUSE mirrors, as described in the notes as the mitigation: http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
CHECKSUMS files are still downloaded and checked, to make sure the tarballs are not corrupt in transit, but cpanm won't check if the CHECKSUMS files are signed by PAUSE pgp keys.