Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings

Wed Oct 23 22:22:47 BST 2019

On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote:
> Control: reassign -1 src:perl
> Control: found -1 5.20.2-3
> 
> On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> > Package: perl-modules-5.30
> > Version: 5.30.0-8
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > I've just found that CPAN.pm does not check signatures by default:
> > 
> >   'check_sigs' => q[0],
> > 
> > Moreover, it downloads files using http, not https.
> > 
> > The combination of both issues makes it very insecure, with a possible
> > remote attack!
> > 
> > And there are no warnings about that.
> 
> Thanks for your report.
> 
> FWIW this has been the case since forever.
> 
> https://www.cpan.org/SITES.html does not list any https mirrors.
> 
> I'm not at all familiar with this topic but a web search gives
>  https://www.perlmonks.org/?node_id=1158601
> 
> Quoting perlancar there for future reference:
> 
>   PAUSE creates a CHECKSUMS file in author's directory, listing each
>   release file along with its last modified time, size, MD5 and SHA256
>   checksums. The CHECKSUMS file is then signed by PAUSE. A CPAN client
>   can be instructed (e.g. --verify in cpanm) to check the signature of
>   the CHECKSUMS file.
> 
>   A couple of issues: 1) signature verification is not enabled by default
>   in CPAN client (at least in cpanm); 2) most (all?) CPAN mirrors are
>   ftp/http and not https, so during the first installation where the
>   client does not have PAUSE's public key yet, a MITM attack can spoof
>   the CHECKSUMS file as well as the release tarballs without the client
>   being able to detect it. These issues can be fixed in the client:
>   enable --verify by default and bundle the PAUSE public key.
> 
>   Additionally, an author can also sign his distribution using a framework
>   like Module::Signature. This will create a SIGNATURE file in the
>   top-level directory of the distribution which contains the checksums of
>   the files in the distribution. The SIGNATURE is then signed using the
>   author's PGP key. This protects the distribution from being tampered
>   by the server (in this case, PAUSE).
> 
>   A CPAN client can then be instructed (also --verify in cpanm) to check
>   this signature file. The 'cpansign' CLI tool distributed along with
>   Module::Signature can also be used for this purpose. The same issue
>   also exists: verify is not enabled by default. And another issue,
>   code signing by author is not mandatory and as far as I know, only a
>   small percentage of authors do this. And yet another issue, at least
>   when I tried it, tool like 'cpansign' is not strict by default: when
>   it fails to retrieve the required PGP public key, it stills reports
>   "==> Signature verified OK! <=".
> 
> So as I understand this, verifying CHECKSUMS would be the thing to do,
> and setting 'check_sigs' wouldn't really help (only deployed partially
> and no web of trust to the module authors).
> 
> >From a cursory look it looks to me like cpanm from src:cpanminus verifies
> CHECKSUMS if Module::Signature (src:libmodule-signature-perl, bundles a
> recent PAUSE public key) is installed, but CPAN.pm doesn't. But I might
> be wrong.
> 
> I'm copying the security team. Would somebody be interested in digging
> further into this?
> 
> Not touching the severity but given the long standing history this is
> not a high priority item for me.

>From my PoV, people are free to work with upstream to get that fixed, but
there's no I reason to treat this as an RC bug.

Cheers,
        Moritz