Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 821154 (CVE-2021-42574, CVE-2021-42694)

Summary: [Tracker] Unicode "bidirectional override" vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: gentoo-bugzilla, gentoo, hlein
Priority: Normal Keywords: Tracker
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---
Bug Depends on: 821181, 821220, 821157, 822135    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-01 00:33:22 UTC
Quoting from the Rust advisory as it's the only public one so far:
"Unicode has support for both left-to-right and right-to-left languages, and to aid writing left-to-right words inside a right-to-left sentence (or vice versa) it also features invisible codepoints called "bidirectional override".

These codepoints are normally used across the Internet to embed a word inside a sentence of another language (with a different text direction), but it was reported to us that they could be used to manipulate how source code is displayed in some editors and code review tools, leading to the reviewed code being different than the compiled code. This is especially bad if the whole team relies on bidirectional-aware tooling."

Comment 2 Hank Leininger 2021-11-01 19:22:56 UTC
Is anyone aware of a community-driven code scanning tool that has a public repo, issue tracker and can accept PRs?

Redhat has a nice beginning of a scanning tool here:

Unfortunately, in its default mode it alerts on the BOM marker bytes (0xfe 0xff) that Windows editors like to put in the beginning of every(?) text file.

There's knobs to control which files are skipped, and to enable only printing bidi(rectional) control characters, but no way to suppress specific control characters, much less at specific file offsets.

Also it lacks a ^C handler, and it dies if it encounters a dangling symlink.

I see no license stated in or its accompanying README.txt, so I don't know the legality of posting improvements to it publicly.