On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote: > Control: reassign -1 src:perl > Control: found -1 5.20.2-3 > > On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote: > > Package: perl-modules-5.30 > > Version: 5.30.0-8 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > I've just found that CPAN.pm does not check signatures by default: > > > > 'check_sigs' => q[0], > > > > Moreover, it downloads files using http, not https. > > > > The combination of both issues makes it very insecure, with a possible > > remote attack! > > > > And there are no warnings about that. > > Thanks for your report. > > FWIW this has been the case since forever. > > https://www.cpan.org/SITES.html does not list any https mirrors. > > I'm not at all familiar with this topic but a web search gives > https://www.perlmonks.org/?node_id=1158601 > > Quoting perlancar there for future reference: > > PAUSE creates a CHECKSUMS file in author's directory, listing each > release file along with its last modified time, size, MD5 and SHA256 > checksums. The CHECKSUMS file is then signed by PAUSE. A CPAN client > can be instructed (e.g. --verify in cpanm) to check the signature of > the CHECKSUMS file. > > A couple of issues: 1) signature verification is not enabled by default > in CPAN client (at least in cpanm); 2) most (all?) CPAN mirrors are > ftp/http and not https, so during the first installation where the > client does not have PAUSE's public key yet, a MITM attack can spoof > the CHECKSUMS file as well as the release tarballs without the client > being able to detect it. These issues can be fixed in the client: > enable --verify by default and bundle the PAUSE public key. > > Additionally, an author can also sign his distribution using a framework > like Module::Signature. This will create a SIGNATURE file in the > top-level directory of the distribution which contains the checksums of > the files in the distribution. The SIGNATURE is then signed using the > author's PGP key. This protects the distribution from being tampered > by the server (in this case, PAUSE). > > A CPAN client can then be instructed (also --verify in cpanm) to check > this signature file. The 'cpansign' CLI tool distributed along with > Module::Signature can also be used for this purpose. The same issue > also exists: verify is not enabled by default. And another issue, > code signing by author is not mandatory and as far as I know, only a > small percentage of authors do this. And yet another issue, at least > when I tried it, tool like 'cpansign' is not strict by default: when > it fails to retrieve the required PGP public key, it stills reports > "==> Signature verified OK! <=". > > So as I understand this, verifying CHECKSUMS would be the thing to do, > and setting 'check_sigs' wouldn't really help (only deployed partially > and no web of trust to the module authors). > > >From a cursory look it looks to me like cpanm from src:cpanminus verifies > CHECKSUMS if Module::Signature (src:libmodule-signature-perl, bundles a > recent PAUSE public key) is installed, but CPAN.pm doesn't. But I might > be wrong. > > I'm copying the security team. Would somebody be interested in digging > further into this? > > Not touching the severity but given the long standing history this is > not a high priority item for me.
>From my PoV, people are free to work with upstream to get that fixed, but there's no I reason to treat this as an RC bug. Cheers, Moritz