[libdata-uuid-libuuid-perl] 01/06: Add a UUID length sanity check when decoding base64 strings

Tue, 06 Dec 2016 13:45:12 -0800 

This is an automated email from the git hooks/post-receive script.

ntyni pushed a commit to branch master
in repository libdata-uuid-libuuid-perl.

commit d0bb299eeea16c6f2fead57bb5e3fa4f0dca163c
Author: Niko Tyni <nt...@debian.org>
Date:   Tue Dec 6 23:28:50 2016 +0200

    Add a UUID length sanity check when decoding base64 strings
    
    This fixes test failures on platforms where references stringify
    to 12 hex digits.
    
    Closes: #814929
---
 ...1-TODO-tests-for-base64-decoding-failures.patch | 49 ++++++++++++++++++++++
 ...a-base64-decoded-string-is-long-enough-to.patch | 49 ++++++++++++++++++++++
 debian/patches/series                              |  2 +
 3 files changed, 100 insertions(+)

diff --git a/debian/patches/0001-TODO-tests-for-base64-decoding-failures.patch 
b/debian/patches/0001-TODO-tests-for-base64-decoding-failures.patch
new file mode 100644
index 0000000..6408884
--- /dev/null
+++ b/debian/patches/0001-TODO-tests-for-base64-decoding-failures.patch
@@ -0,0 +1,49 @@
+From 8ad0790b6a228a7d5697da1878d2d63d177ca39e Mon Sep 17 00:00:00 2001
+From: Niko Tyni <nt...@debian.org>
+Date: Sun, 27 Nov 2016 13:58:29 +0200
+Subject: [PATCH 1/3] TODO tests for base64 decoding failures
+
+When the input is a suitably long string (24 to 26 characters),
+sv_to_uuid() decodes it as base64 but doesn't check if the result
+makes sense. The decoding process silently ignores illegal base64
+characters and padding after '='.
+
+This can break test 28 when Perl pointers stringify to a suitably
+long string, such as "Blah=HASH(0x555555f30d18)".
+
+Add TODO tests showing the behaviour on all platforms.
+
+Bug-Debian: https://bugs.debian.org/814929
+Bug: https://rt.cpan.org/Ticket/Display.html?id=119111
+---
+ t/basic.t | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/t/basic.t b/t/basic.t
+index bcba897..067b8b6 100644
+--- a/t/basic.t
++++ b/t/basic.t
+@@ -2,7 +2,7 @@
+ 
+ use strict;
+ 
+-use Test::More tests => 47;
++use Test::More tests => 50;
+ 
+ use ok 'Data::UUID::LibUUID' => ":all";
+ 
+@@ -70,6 +70,11 @@ is( uuid_to_binary(*STDOUT), undef, "to_binary(*STDOUT)" );
+ is( uuid_to_binary(sub { }), undef, "to_binary(sub { })" );
+ is( uuid_to_binary(42), undef, "to_binary(IV)" );
+ 
++for (19..21) {
++    local $::TODO = 'suitably long strings get blindly decoded (Debian 
#814929)';
++    is( uuid_to_binary("Blah=" . "x" x $_), undef, 
"to_binary(string_with_${_}_padding)");
++}
++
+ is( length(new_dce_uuid_string()), 36, 'new_dce_uuid_string ignores its args' 
);
+ is( length(new_dce_uuid_string( bless({}, "Foo"), "foo" )), 36, 
'new_dce_uuid_string ignores its args' );
+ 
+-- 
+2.10.2
+
diff --git 
a/debian/patches/0002-Check-that-a-base64-decoded-string-is-long-enough-to.patch
 
b/debian/patches/0002-Check-that-a-base64-decoded-string-is-long-enough-to.patch
new file mode 100644
index 0000000..255968c
--- /dev/null
+++ 
b/debian/patches/0002-Check-that-a-base64-decoded-string-is-long-enough-to.patch
@@ -0,0 +1,49 @@
+From 0e3a80f2a4f301ed66893c7297e3d57ad75e6dc0 Mon Sep 17 00:00:00 2001
+From: Niko Tyni <nt...@debian.org>
+Date: Sun, 27 Nov 2016 13:48:40 +0200
+Subject: [PATCH 2/3] Check that a base64 decoded string is long enough to be a
+ UUID
+
+This fixes test failures on platforms where Perl pointers stringify to
+a suitably long string, making "Blah=HASH(0x555555f30d18)" a candidate
+for base64 decoding.
+
+Bug-Debian: https://bugs.debian.org/814929
+Bug: https://rt.cpan.org/Ticket/Display.html?id=119111
+---
+ LibUUID.xs | 6 +++++-
+ t/basic.t  | 1 -
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/LibUUID.xs b/LibUUID.xs
+index 00b4e4c..34d757d 100644
+--- a/LibUUID.xs
++++ b/LibUUID.xs
+@@ -139,7 +139,11 @@ STATIC IV sv_to_uuid (SV *sv, uuid_t uuid) {
+                 call_pv("MIME::Base64::decode_base64", G_SCALAR);
+ 
+                 SPAGAIN;
+-                pv = SvPV_nolen(TOPs);
++                pv = SvPV(TOPs, len);
++
++                /* check that the decoded result looks plausible */
++                if (len != sizeof(uuid_t))
++                    return 0;
+ 
+                 /* fall through */
+             case sizeof(uuid_t):
+diff --git a/t/basic.t b/t/basic.t
+index 067b8b6..0dcbacc 100644
+--- a/t/basic.t
++++ b/t/basic.t
+@@ -71,7 +71,6 @@ is( uuid_to_binary(sub { }), undef, "to_binary(sub { })" );
+ is( uuid_to_binary(42), undef, "to_binary(IV)" );
+ 
+ for (19..21) {
+-    local $::TODO = 'suitably long strings get blindly decoded (Debian 
#814929)';
+     is( uuid_to_binary("Blah=" . "x" x $_), undef, 
"to_binary(string_with_${_}_padding)");
+ }
+ 
+-- 
+2.10.2
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4f3a6a1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+0001-TODO-tests-for-base64-decoding-failures.patch
+0002-Check-that-a-base64-decoded-string-is-long-enough-to.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-perl/packages/libdata-uuid-libuuid-perl.git

_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits

Reply via email to