Bug#864530: uuid parsing accepts invalid UUIDs, with potential security consequences

Fri, 09 Jun 2017 20:27:30 -0700 

Package: uuid
Version: 1.6.2-1.5+b4
Severity: normal

joey@darkstar:~>uuid -d 4eb841ca-ce98-4590-8ea2-c4643bfa537bad
encode: STR:     4eb841ca-ce98-4590-8ea2-c4643bfa537b
        SIV:     104636500717844908867795278139605275515
decode: variant: DCE 1.1, ISO/IEC 11578:1996
        version: 4 (random data based)
        content: 4E:B8:41:CA:CE:98:05:90:0E:A2:C4:64:3B:FA:53:7B
                 (no semantics: random data only)

So that's a valid UUID, isn't it? Except no, it's not, it's two bytes too long.

It could be that the parser is lenient to allow delimiters or something:

joey@darkstar:~>uuid -d 4eb841ca-ce98-4590-8ea2-c4643bfa537b,
encode: STR:     4eb841ca-ce98-4590-8ea2-c4643bfa537b
        SIV:     104636500717844908867795278139605275515
decode: variant: DCE 1.1, ISO/IEC 11578:1996
        version: 4 (random data based)
        content: 4E:B8:41:CA:CE:98:05:90:0E:A2:C4:64:3B:FA:53:7B
                 (no semantics: random data only)

The libossp-uuid-perl library behaves the same, so the ossp-uuid library
is the root cause.

joey@darkstar:~>perl -le 'use OSSP::uuid; my $uuid = OSSP::uuid->new; 
$uuid->import("str", "4eb841ca-ce98-4590-8ea2-c4643bfa537bad"); print 
$uuid->export("str")'
4eb841ca-ce98-4590-8ea2-c4643bfa537b

This could potentially expose users of the ossp-uuid library to
security holes. Two potential ways this could have security ramifications:

* If a fixed size buffer is allocated to hold a UUID, and ossp-uuid is used
  to verify user input is a valid UUID before it's copied into the buffer.
* If a frontend system uses ossp-uuid to parse user input UUIDs, and a backend
  system uses a more strict UUID library (such as the haskell UUID library),
  the backend could be fed data that it will reject, causing the frontend
  to run unusual code paths.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages uuid depends on:
ii  libc6           2.24-11
ii  libossp-uuid16  1.6.2-1.5+b4

uuid recommends no packages.

uuid suggests no packages.

-- no debconf information

-- 
see shy jo

Attachment: signature.asc
Description: PGP signature

Reply via email to