Control: reassign -1 src:perl Control: found -1 5.20.2-3 On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote: > Package: perl-modules-5.30 > Version: 5.30.0-8 > Severity: grave > Tags: security > Justification: user security hole > > I've just found that CPAN.pm does not check signatures by default: > > 'check_sigs' => q[0], > > Moreover, it downloads files using http, not https. > > The combination of both issues makes it very insecure, with a possible > remote attack! > > And there are no warnings about that.
Thanks for your report. FWIW this has been the case since forever. https://www.cpan.org/SITES.html does not list any https mirrors. I'm not at all familiar with this topic but a web search gives https://www.perlmonks.org/?node_id=1158601 Quoting perlancar there for future reference: PAUSE creates a CHECKSUMS file in author's directory, listing each release file along with its last modified time, size, MD5 and SHA256 checksums. The CHECKSUMS file is then signed by PAUSE. A CPAN client can be instructed (e.g. --verify in cpanm) to check the signature of the CHECKSUMS file. A couple of issues: 1) signature verification is not enabled by default in CPAN client (at least in cpanm); 2) most (all?) CPAN mirrors are ftp/http and not https, so during the first installation where the client does not have PAUSE's public key yet, a MITM attack can spoof the CHECKSUMS file as well as the release tarballs without the client being able to detect it. These issues can be fixed in the client: enable --verify by default and bundle the PAUSE public key. Additionally, an author can also sign his distribution using a framework like Module::Signature. This will create a SIGNATURE file in the top-level directory of the distribution which contains the checksums of the files in the distribution. The SIGNATURE is then signed using the author's PGP key. This protects the distribution from being tampered by the server (in this case, PAUSE). A CPAN client can then be instructed (also --verify in cpanm) to check this signature file. The 'cpansign' CLI tool distributed along with Module::Signature can also be used for this purpose. The same issue also exists: verify is not enabled by default. And another issue, code signing by author is not mandatory and as far as I know, only a small percentage of authors do this. And yet another issue, at least when I tried it, tool like 'cpansign' is not strict by default: when it fails to retrieve the required PGP public key, it stills reports "==> Signature verified OK! <=". So as I understand this, verifying CHECKSUMS would be the thing to do, and setting 'check_sigs' wouldn't really help (only deployed partially and no web of trust to the module authors). >From a cursory look it looks to me like cpanm from src:cpanminus verifies CHECKSUMS if Module::Signature (src:libmodule-signature-perl, bundles a recent PAUSE public key) is installed, but CPAN.pm doesn't. But I might be wrong. I'm copying the security team. Would somebody be interested in digging further into this? Not touching the severity but given the long standing history this is not a high priority item for me. -- Niko Tyni nt...@debian.org
