| Summary: | [Tracker] Unicode "bidirectional override" vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | normal | CC: | gentoo-bugzilla, gentoo, hlein |
| Priority: | Normal | Keywords: | Tracker |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://trojansource.codes/ | ||
| See Also: |
https://bugzilla.redhat.com/show_bug.cgi?id=2005819 https://bugs.gentoo.org/show_bug.cgi?id=862372 |
||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 821181, 821220, 821157, 822135 | ||
| Bug Blocks: | |||
|
Description
Sam James
2021-11-01 00:33:22 UTC
- https://www.lightbluetouchpaper.org/2021/11/01/trojan-source-invisible-vulnerabilities/ - https://github.com/nickboucher/trojan-source Is anyone aware of a community-driven code scanning tool that has a public repo, issue tracker and can accept PRs? Redhat has a nice beginning of a scanning tool here: https://access.redhat.com/security/vulnerabilities/RHSB-2021-007 Unfortunately, in its default mode it alerts on the BOM marker bytes (0xfe 0xff) that Windows editors like to put in the beginning of every(?) text file. There's knobs to control which files are skipped, and to enable only printing bidi(rectional) control characters, but no way to suppress specific control characters, much less at specific file offsets. Also it lacks a ^C handler, and it dies if it encounters a dangling symlink. I see no license stated in find_unicode_control2.py or its accompanying README.txt, so I don't know the legality of posting improvements to it publicly. |