Package: uuid Version: 1.6.2-1.5+b4 Severity: normal joey@darkstar:~>uuid -d 4eb841ca-ce98-4590-8ea2-c4643bfa537bad encode: STR: 4eb841ca-ce98-4590-8ea2-c4643bfa537b SIV: 104636500717844908867795278139605275515 decode: variant: DCE 1.1, ISO/IEC 11578:1996 version: 4 (random data based) content: 4E:B8:41:CA:CE:98:05:90:0E:A2:C4:64:3B:FA:53:7B (no semantics: random data only)
So that's a valid UUID, isn't it? Except no, it's not, it's two bytes too long. It could be that the parser is lenient to allow delimiters or something: joey@darkstar:~>uuid -d 4eb841ca-ce98-4590-8ea2-c4643bfa537b, encode: STR: 4eb841ca-ce98-4590-8ea2-c4643bfa537b SIV: 104636500717844908867795278139605275515 decode: variant: DCE 1.1, ISO/IEC 11578:1996 version: 4 (random data based) content: 4E:B8:41:CA:CE:98:05:90:0E:A2:C4:64:3B:FA:53:7B (no semantics: random data only) The libossp-uuid-perl library behaves the same, so the ossp-uuid library is the root cause. joey@darkstar:~>perl -le 'use OSSP::uuid; my $uuid = OSSP::uuid->new; $uuid->import("str", "4eb841ca-ce98-4590-8ea2-c4643bfa537bad"); print $uuid->export("str")' 4eb841ca-ce98-4590-8ea2-c4643bfa537b This could potentially expose users of the ossp-uuid library to security holes. Two potential ways this could have security ramifications: * If a fixed size buffer is allocated to hold a UUID, and ossp-uuid is used to verify user input is a valid UUID before it's copied into the buffer. * If a frontend system uses ossp-uuid to parse user input UUIDs, and a backend system uses a more strict UUID library (such as the haskell UUID library), the backend could be fed data that it will reject, causing the frontend to run unusual code paths. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages uuid depends on: ii libc6 2.24-11 ii libossp-uuid16 1.6.2-1.5+b4 uuid recommends no packages. uuid suggests no packages. -- no debconf information -- see shy jo
signature.asc
Description: PGP signature