Re: suggestion for checking unicode characters against "trojan source attacks"

To: Felix Lechner <felix.lechner@lease-up.com>
Cc: security@debian.org, lintian-maint <lintian-maint@debian.org>
Subject: Re: suggestion for checking unicode characters against "trojan source attacks"
From: Jérémy Lal <kapouer@melix.org>
Date: Tue, 2 Nov 2021 10:47:10 +0100
Message-id: <[🔎] CAJxTCxwzeACiyL0NqKJ-DwfjH8EeX7N4JvXuDuCVEPEOz=W-Vw@mail.gmail.com>
In-reply-to: <[🔎] CAJxTCxzLm9pOVN1ndKLdkJQ0sTe7BF-nPq36-DoPsJpQ2gHu6w@mail.gmail.com>
References: <[🔎] CAJxTCxyXM9+SFUpfUPVS9kkhRgHpOyOLhd+SHDsitHaRoG9EKA@mail.gmail.com> <[🔎] CAFHYt54OGu16gnRMSEiMqt8ysqAoe4roUYvhn0L_Dju_HG-QNw@mail.gmail.com> <[🔎] CAJxTCxwYCwUYWXYY6LBYeC3M1zHMWn=Hfp4PnQNubLTtFioKNA@mail.gmail.com> <[🔎] CAFHYt57eBYUHHDaVU=PQWc76V1gyfrpoXvLHomb+uqMGaPYyYw@mail.gmail.com> <[🔎] CAJxTCxx-20VfP6HMVbXJ3EpLv888qzLCHQTjHJC3f_grWcE=UQ@mail.gmail.com> <[🔎] CAFHYt55PBwWWu3q1C89ktZw9SoNZrJQkt+o6XA6+SwS=AexFXg@mail.gmail.com> <[🔎] CAJxTCxzLm9pOVN1ndKLdkJQ0sTe7BF-nPq36-DoPsJpQ2gHu6w@mail.gmail.com>

Le lun. 1 nov. 2021 à 22:51, Jérémy Lal <kapouer@melix.org> a écrit :

Le lun. 1 nov. 2021 à 22:29, Felix Lechner <felix.lechner@lease-up.com> a écrit :
Hi,

On Mon, Nov 1, 2021 at 2:21 PM Jérémy Lal <kapouer@melix.org> wrote:
>
> grep -r $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069]'

Does that cover both conditions?

It seems from the paper at
https://trojansource.codes/trojan-source.pdf
and the list given also at
https://www.unicode.org/reports/tr9/tr9-42.html
that those nine characters are the ones that should be checked.

There is a risk that it will be slow, by the way—but I generally favor
doing things right, so no problem here.

Maybe debian security team has already something in mind, or has a better understanding of this
CVE-2021-42574 and CVE-2021-42694 issue.

Update: the python script i linked at the start of the conversion is now available at

https://github.com/siddhesh/find-unicode-control

i'm not sure it's worth packaging it - using grep looks somewhat simpler.

Jérémy

Reply to:

Follow-Ups:
- Re: suggestion for checking unicode characters against "trojan source attacks"
  - From: Felix Lechner <felix.lechner@lease-up.com>

References:
- suggestion for checking unicode characters against "trojan source attacks"
  - From: Jérémy Lal <kapouer@melix.org>
- Re: suggestion for checking unicode characters against "trojan source attacks"
  - From: Felix Lechner <felix.lechner@lease-up.com>
- Re: suggestion for checking unicode characters against "trojan source attacks"
  - From: Jérémy Lal <kapouer@melix.org>
- Re: suggestion for checking unicode characters against "trojan source attacks"
  - From: Felix Lechner <felix.lechner@lease-up.com>
- Re: suggestion for checking unicode characters against "trojan source attacks"
  - From: Jérémy Lal <kapouer@melix.org>
- Re: suggestion for checking unicode characters against "trojan source attacks"
  - From: Felix Lechner <felix.lechner@lease-up.com>
- Re: suggestion for checking unicode characters against "trojan source attacks"
  - From: Jérémy Lal <kapouer@melix.org>

Prev by Date: Bug#973313: lintian: Salsa CI jobs fail for many sources hosted there
Next by Date: Bug#973313: lintian: Salsa CI jobs fail for many sources hosted there
Previous by thread: Re: suggestion for checking unicode characters against "trojan source attacks"
Next by thread: Re: suggestion for checking unicode characters against "trojan source attacks"
Index(es):
- Date
- Thread