Altered Manifest Undetected or Segfaults #1554
Description
Active manifest is tracked by a unique identifier.
The identifier is always part of the exclusion list, so it is not cryptographically protected.
What if we change it?
For the test source, I used a picture from a Google Pixel 10. This file has one dependency and fully validates.
Test #1: Alter active manifest to random data.
With this test file, the active manifest is "urn:c2pa:959d8fa1-fe19-41d9-adf6-489b72b5389b".
cp test-source.jpg test-arbitrary.jpg
sed -i 's@c2pa:959d8fa1-fe19-41d9-adf6-489b72b5389b@Neal:Wuz-here-Neal-wuz-here-Neal-wuz-here@g' test-arbitrary.jpg
c2patool-0.23.4 test-arbitrary.jpg trust --trust_anchors C2PA-TRUST-LIST.pem > test-arbitrary.jpg.c2pa
Result #1: No error and no alteration detected.
Problem #1: In the CAI Discord and in conversations with C2PA representatives, I've asked how to distinguish C2PA versions. The repeated advice is to look at the urn. If it be begins with "urn:c2pa:..." then it is v2.2. But in this case, I have changed the string from v2.2 to something different, and nothing noticed.
Test #2: Hostile manifest
With this file, there is a dependency with it's own manifest id: "urn:c2pa:76408e7a-49e6-6cff-7084-4768507ccbed"
If the active manifest can be anything, what if I change it to be the same as the dependent manifest?
cp test-source.jpg test-duplicate1.jpg
sed -i 's@c2pa:959d8fa1-fe19-41d9-adf6-489b72b5389b@c2pa:76408e7a-49e6-6cff-7084-4768507ccbed@g' test-duplicate1.jpg
c2patool-0.23.4 test-duplicate1.jpg trust --trust_anchors C2PA-TRUST-LIST.pem > test-duplicate1.jpg.c2pa
Result #2: c2patool segfaults.
(I've never seen rust segfault!)
Specifcally:
c2patool 0.11.1 says "Error: claim could not be converted from CBOR"
c2patool 0.13.0 - 0.14.0 works. "assertion.required.missing" but the manifest is valid.
c2patool 0.16.4 says "Error: claim missing: label = urn:c2pa:76408e7a-49e6-6cff-7084-4768507ccbed"
c2patool 0.16.5 - 0.18.0 hangs indefinitely. (infinite loop?)
c2patool 0.19.0 - 0.23.4 segfaults.
Test #3: Hostile manifest
What if I change the dependency to have the same manifest as the active manifest?
cp test-source.jpg test-duplicate2.jpg
sed -i 's@c2pa:76408e7a-49e6-6cff-7084-4768507ccbed@c2pa:959d8fa1-fe19-41d9-adf6-489b72b5389b@g' test-duplicate2.jpg
c2patool-0.23.4 test-duplicate2.jpg trust --trust_anchors C2PA-TRUST-LIST.pem > test-duplicate2.jpg.c2pa
Result #3: Same as Result #2; c2patool segfaults, older versions hang.