This is an automated email from the git hooks/post-receive script. ntyni pushed a commit to branch master in repository libdata-uuid-libuuid-perl.
commit d0bb299eeea16c6f2fead57bb5e3fa4f0dca163c Author: Niko Tyni <nt...@debian.org> Date: Tue Dec 6 23:28:50 2016 +0200 Add a UUID length sanity check when decoding base64 strings This fixes test failures on platforms where references stringify to 12 hex digits. Closes: #814929 --- ...1-TODO-tests-for-base64-decoding-failures.patch | 49 ++++++++++++++++++++++ ...a-base64-decoded-string-is-long-enough-to.patch | 49 ++++++++++++++++++++++ debian/patches/series | 2 + 3 files changed, 100 insertions(+) diff --git a/debian/patches/0001-TODO-tests-for-base64-decoding-failures.patch b/debian/patches/0001-TODO-tests-for-base64-decoding-failures.patch new file mode 100644 index 0000000..6408884 --- /dev/null +++ b/debian/patches/0001-TODO-tests-for-base64-decoding-failures.patch @@ -0,0 +1,49 @@ +From 8ad0790b6a228a7d5697da1878d2d63d177ca39e Mon Sep 17 00:00:00 2001 +From: Niko Tyni <nt...@debian.org> +Date: Sun, 27 Nov 2016 13:58:29 +0200 +Subject: [PATCH 1/3] TODO tests for base64 decoding failures + +When the input is a suitably long string (24 to 26 characters), +sv_to_uuid() decodes it as base64 but doesn't check if the result +makes sense. The decoding process silently ignores illegal base64 +characters and padding after '='. + +This can break test 28 when Perl pointers stringify to a suitably +long string, such as "Blah=HASH(0x555555f30d18)". + +Add TODO tests showing the behaviour on all platforms. + +Bug-Debian: https://bugs.debian.org/814929 +Bug: https://rt.cpan.org/Ticket/Display.html?id=119111 +--- + t/basic.t | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/t/basic.t b/t/basic.t +index bcba897..067b8b6 100644 +--- a/t/basic.t ++++ b/t/basic.t +@@ -2,7 +2,7 @@ + + use strict; + +-use Test::More tests => 47; ++use Test::More tests => 50; + + use ok 'Data::UUID::LibUUID' => ":all"; + +@@ -70,6 +70,11 @@ is( uuid_to_binary(*STDOUT), undef, "to_binary(*STDOUT)" ); + is( uuid_to_binary(sub { }), undef, "to_binary(sub { })" ); + is( uuid_to_binary(42), undef, "to_binary(IV)" ); + ++for (19..21) { ++ local $::TODO = 'suitably long strings get blindly decoded (Debian #814929)'; ++ is( uuid_to_binary("Blah=" . "x" x $_), undef, "to_binary(string_with_${_}_padding)"); ++} ++ + is( length(new_dce_uuid_string()), 36, 'new_dce_uuid_string ignores its args' ); + is( length(new_dce_uuid_string( bless({}, "Foo"), "foo" )), 36, 'new_dce_uuid_string ignores its args' ); + +-- +2.10.2 + diff --git a/debian/patches/0002-Check-that-a-base64-decoded-string-is-long-enough-to.patch b/debian/patches/0002-Check-that-a-base64-decoded-string-is-long-enough-to.patch new file mode 100644 index 0000000..255968c --- /dev/null +++ b/debian/patches/0002-Check-that-a-base64-decoded-string-is-long-enough-to.patch @@ -0,0 +1,49 @@ +From 0e3a80f2a4f301ed66893c7297e3d57ad75e6dc0 Mon Sep 17 00:00:00 2001 +From: Niko Tyni <nt...@debian.org> +Date: Sun, 27 Nov 2016 13:48:40 +0200 +Subject: [PATCH 2/3] Check that a base64 decoded string is long enough to be a + UUID + +This fixes test failures on platforms where Perl pointers stringify to +a suitably long string, making "Blah=HASH(0x555555f30d18)" a candidate +for base64 decoding. + +Bug-Debian: https://bugs.debian.org/814929 +Bug: https://rt.cpan.org/Ticket/Display.html?id=119111 +--- + LibUUID.xs | 6 +++++- + t/basic.t | 1 - + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/LibUUID.xs b/LibUUID.xs +index 00b4e4c..34d757d 100644 +--- a/LibUUID.xs ++++ b/LibUUID.xs +@@ -139,7 +139,11 @@ STATIC IV sv_to_uuid (SV *sv, uuid_t uuid) { + call_pv("MIME::Base64::decode_base64", G_SCALAR); + + SPAGAIN; +- pv = SvPV_nolen(TOPs); ++ pv = SvPV(TOPs, len); ++ ++ /* check that the decoded result looks plausible */ ++ if (len != sizeof(uuid_t)) ++ return 0; + + /* fall through */ + case sizeof(uuid_t): +diff --git a/t/basic.t b/t/basic.t +index 067b8b6..0dcbacc 100644 +--- a/t/basic.t ++++ b/t/basic.t +@@ -71,7 +71,6 @@ is( uuid_to_binary(sub { }), undef, "to_binary(sub { })" ); + is( uuid_to_binary(42), undef, "to_binary(IV)" ); + + for (19..21) { +- local $::TODO = 'suitably long strings get blindly decoded (Debian #814929)'; + is( uuid_to_binary("Blah=" . "x" x $_), undef, "to_binary(string_with_${_}_padding)"); + } + +-- +2.10.2 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..4f3a6a1 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +0001-TODO-tests-for-base64-decoding-failures.patch +0002-Check-that-a-base64-decoded-string-is-long-enough-to.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libdata-uuid-libuuid-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits