Summary: | Take steps to detect malicious unicode in source code and pull requests | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | bo0od |
Component: | Misc | Assignee: | Gentoo Security <security> |
Status: | UNCONFIRMED --- | ||
Severity: | major | CC: | ajak, gentoo |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=821154 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
bo0od
2022-07-30 19:07:22 UTC
I appreciate you raising the concern but this is a really generic bug that you've filed. It's not really specific to Gentoo at all in the points raised or specific suggestions, i.e. it needs tailoring. (In reply to bo0od from comment #0) > - [ ] **check if potential existing compromises:** scan all distribution > source code for existing unicode > - [ ] **educate existing and future distribution source code reviewers:** > add a distribution source code reviewer policy to a github repository or on > the distribution website which existing and future reviewers need to > acknowledge that I understand the issue. More of a reminder, a conversation > starter. For GitHub at least, are we happy with the warning that they add (https://github.blog/changelog/2021-10-31-warning-about-bidirectional-unicode-text/)? Do we care about the other avenues of contribution? > - [ ] **remove as much unicode from distribution source code as possible**: > by reducing the amount of unicode in distribution source code, audits for > malicious unicode with automated tools gets simpler. If possible, if unicode > is considered essential, instead of writing `®` when required it should be > encoded as `®`. I'm not sure I see any merit to this, but see also my comments to the following. > - [ ] **local check by reviewer:** document tools that distribution source > code reviewers could/should use to scan future contributions for malicious > unicode For this one I think it makes sense to be some kind of warning, maybe this is worth adding to pkgcheck? That won't cover all of the potential contributions to the entire distributions, but maybe good enough? > - [ ] **remote cursory check:** add a github pull request hook that notifies > when unicode is included in a pull request (This is just an additional, > handy layer of protection. Since infrastructure should be distrusted this > alone is not a full solution.) Obsoleted by the native warning. > - [ ] **build scripts / CI scripts:** should check if there is unicode in > any files except in opt-in expected files. If there is unexpected unicode, > the build should error out. > - [ ] **scan upstream projects source code**: check if these are compromised > by malicious unicode > - [ ] **notify upstream projects**: these might not be aware of this issue > and already compromised by malicious unicode. While reasonable goals, I don't think these ecosystem-wide surveillance topics are at all tasks for Gentoo Security to handle. |