Bug#864530: uuid parsing accepts invalid UUIDs, with potential security consequences

Thu, 05 Sep 2024 07:24:12 -0700 

Control: tags -1 + upstream fixed-upstream

(I'm the new upstream for all OSSP software; fixed in
 
<https://git.sr.ht/~nabijaczleweli/ossp-uuid/commit/8386acd884e8935669b796933fef7b03831300ba>.)

On Fri, Jun 09, 2017 at 11:23:07PM -0400, Joey Hess wrote:
> joey@darkstar:~>uuid -d 4eb841ca-ce98-4590-8ea2-c4643bfa537bad
> encode: STR:     4eb841ca-ce98-4590-8ea2-c4643bfa537b
>         SIV:     104636500717844908867795278139605275515
> decode: variant: DCE 1.1, ISO/IEC 11578:1996
>         version: 4 (random data based)
>         content: 4E:B8:41:CA:CE:98:05:90:0E:A2:C4:64:3B:FA:53:7B
>                  (no semantics: random data only)
> 
> So that's a valid UUID, isn't it? Except no, it's not, it's two bytes too 
> long.
Can repro this verbatim.

> It could be that the parser is lenient to allow delimiters or something:
> 
> joey@darkstar:~>uuid -d 4eb841ca-ce98-4590-8ea2-c4643bfa537b,
> encode: STR:     4eb841ca-ce98-4590-8ea2-c4643bfa537b
>         SIV:     104636500717844908867795278139605275515
> decode: variant: DCE 1.1, ISO/IEC 11578:1996
>         version: 4 (random data based)
>         content: 4E:B8:41:CA:CE:98:05:90:0E:A2:C4:64:3B:FA:53:7B
>                  (no semantics: random data only)
> 
> The libossp-uuid-perl library behaves the same, so the ossp-uuid library
> is the root cause.
Yes, I can repro with
  assert(uuid_import(uuid, UUID_FMT_STR, 
"4eb841ca-ce98-4590-8ea2-c4643bfa537bad",
                                  
sizeof("4eb841ca-ce98-4590-8ea2-c4643bfa537bad"))
         == UUID_RC_OK);
which passes.

> joey@darkstar:~>perl -le 'use OSSP::uuid; my $uuid = OSSP::uuid->new; 
> $uuid->import("str", "4eb841ca-ce98-4590-8ea2-c4643bfa537bad"); print 
> $uuid->export("str")'
> 4eb841ca-ce98-4590-8ea2-c4643bfa537b
(I have not yet tackled the Perl library.)


In a truly incredible moment, we see:
  static uuid_rc_t uuid_import_str(uuid_t *uuid, const void *data_ptr, size_t 
data_len)
  {
      /* sanity check argument(s) */
      if (uuid == NULL || data_ptr == NULL || data_len < UUID_LEN_STR)
          return UUID_RC_ARG;
  
      /* check for correct UUID string representation syntax */
      str = (const char *)data_ptr;
      if (!uuid_isstr(str, 0))
          return UUID_RC_ARG;
  
  /* INTERNAL: check for valid UUID string representation syntax */
  static bool uuid_isstr(const char *str, size_t str_len)
  {
      /* example reference:
         f81d4fae-7dec-11d0-a765-00a0c91e6bf6
         012345678901234567890123456789012345
         0         1         2         3       */
      if (str == NULL)
          return false;
      if (str_len == 0)
          str_len = strlen(str);
      if (str_len < UUID_LEN_STR)
          return false;
      for (i = 0, cp = str; i < UUID_LEN_STR; i++, cp++) {
which strlen()s past the data_len,
and entirely discards everything past UUID_LEN_STR.

https://git.sr.ht/~nabijaczleweli/ossp-uuid/commit/8386acd884e8935669b796933fef7b03831300ba
checks that strnlen(data, data_len) == UUID_LEN_STR, which fixes this case.

Thanks for the report,
наб

Attachment: signature.asc
Description: PGP signature

Reply via email to