Hi Gregor, On Fri, Mar 17, 2023 at 09:15:12PM +0100, gregor herrmann wrote: > On Fri, 17 Mar 2023 14:50:29 +0100, Moritz Mühlenhoff wrote: > > > CVE-2020-16155[0]: > > | The CPAN::Checksums package 2.12 for Perl does not uniquely define > > | signed data. > > > > https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ > > http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html > > After reading those webpages and looking at the diffs briefly, I > _think_ this is fixed upstream in 2.13 and in Debian with 2.13-1. > > What do you think Salvatore?
My understanding so far was that the issue is not solely CPAN::Checksums, but a combination of what we can control in CPAN::Checksums and on the way the module was called on CPAN. 2.13 adds the additional required path component, so maybe you are right and we should consider the CVE addressed on the package side with the addition of the cpan_path key. For reference: https://github.com/andk/cpan-checksums/commit/9d2f5f26470ff7ce53ef697d09790fc4db451ab1 Regards, Salvatore
