Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings
Moritz Muehlenhoff
jmm at inutil.org
Wed Oct 23 22:22:47 BST 2019
On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote:
> Control: reassign -1 src:perl
> Control: found -1 5.20.2-3
>
> On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> > Package: perl-modules-5.30
> > Version: 5.30.0-8
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > I've just found that CPAN.pm does not check signatures by default:
> >
> > 'check_sigs' => q[0],
> >
> > Moreover, it downloads files using http, not https.
> >
> > The combination of both issues makes it very insecure, with a possible
> > remote attack!
> >
> > And there are no warnings about that.
>
> Thanks for your report.
>
> FWIW this has been the case since forever.
>
> https://www.cpan.org/SITES.html does not list any https mirrors.
>
> I'm not at all familiar with this topic but a web search gives
> https://www.perlmonks.org/?node_id=1158601
>
> Quoting perlancar there for future reference:
>
> PAUSE creates a CHECKSUMS file in author's directory, listing each
> release file along with its last modified time, size, MD5 and SHA256
> checksums. The CHECKSUMS file is then signed by PAUSE. A CPAN client
> can be instructed (e.g. --verify in cpanm) to check the signature of
> the CHECKSUMS file.
>
> A couple of issues: 1) signature verification is not enabled by default
> in CPAN client (at least in cpanm); 2) most (all?) CPAN mirrors are
> ftp/http and not https, so during the first installation where the
> client does not have PAUSE's public key yet, a MITM attack can spoof
> the CHECKSUMS file as well as the release tarballs without the client
> being able to detect it. These issues can be fixed in the client:
> enable --verify by default and bundle the PAUSE public key.
>
> Additionally, an author can also sign his distribution using a framework
> like Module::Signature. This will create a SIGNATURE file in the
> top-level directory of the distribution which contains the checksums of
> the files in the distribution. The SIGNATURE is then signed using the
> author's PGP key. This protects the distribution from being tampered
> by the server (in this case, PAUSE).
>
> A CPAN client can then be instructed (also --verify in cpanm) to check
> this signature file. The 'cpansign' CLI tool distributed along with
> Module::Signature can also be used for this purpose. The same issue
> also exists: verify is not enabled by default. And another issue,
> code signing by author is not mandatory and as far as I know, only a
> small percentage of authors do this. And yet another issue, at least
> when I tried it, tool like 'cpansign' is not strict by default: when
> it fails to retrieve the required PGP public key, it stills reports
> "==> Signature verified OK! <=".
>
> So as I understand this, verifying CHECKSUMS would be the thing to do,
> and setting 'check_sigs' wouldn't really help (only deployed partially
> and no web of trust to the module authors).
>
> >From a cursory look it looks to me like cpanm from src:cpanminus verifies
> CHECKSUMS if Module::Signature (src:libmodule-signature-perl, bundles a
> recent PAUSE public key) is installed, but CPAN.pm doesn't. But I might
> be wrong.
>
> I'm copying the security team. Would somebody be interested in digging
> further into this?
>
> Not touching the severity but given the long standing history this is
> not a high priority item for me.
>From my PoV, people are free to work with upstream to get that fixed, but
there's no I reason to treat this as an RC bug.
Cheers,
Moritz
More information about the Perl-maintainers
mailing list