CVE-2020-16156

An attacker who controls a CPAN mirror (e.g., via a man-in-the-middle position or by hosting a malicious mirror) can prepend forged checksum entries for a modified package to the beginning of a CHECKSUMS file, before the cleartext PGP headers. Because `Module::Signature::_verify()` is called without the `sigtext` and `plaintext` arguments, the `_compare()` check is skipped, and the function only verifies that a valid signed cleartext block exists somewhere in the file. The attacker's prepended, unsigned checksums are accepted as valid, allowing the installation of a malicious package [ref_id=1].

The vulnerability lies in the `Module::Signature::_verify()` function used by CPAN.pm. The `_verify()` call is made without the `sigtext` and `plaintext` arguments, which causes the `_compare()` check to be bypassed. As a result, `_verify()` only confirms that a valid signed cleartext block exists somewhere in the CHECKSUMS file, rather than verifying that the checksums being used are actually part of the signed content [ref_id=1].

No patch is shown in the bundle. The advisory recommends that users ensure their CPAN client is configured to use a trusted TLS-protected (https) mirror, as signature verification can be bypassed and signed CHECKSUMS cannot be relied upon for security [ref_id=1]. The advisory does not specify whether a code fix has been released for CPAN 2.28.

The bundle includes a proof of concept. First, ensure Module::Signature is installed. Prepare a malicious CPAN mirror containing a modified package (e.g., spoofing Mojolicious): create the directory structure, download the original CHECKSUMS file, create a malicious tarball, compute its SHA-256, and prepend a forged checksum entry before the original CHECKSUMS content. Serve the repository locally (e.g., with `busybox httpd -f -p 8000`). Configure CPAN.pm to add `http://localhost:8000` to the urllist and enable `check_sigs`, then run `cpan` to trigger the bypass [ref_id=1].