oss-sec mailing list archives

Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code

From: Jakub Wilk <jwilk () jwilk net>
Date: Mon, 1 Nov 2021 16:10:02 +0100

+    ('\u{202A}', ""), // The following unicode text flow control characters are inconsistently
+    ('\u{202B}', ""), // supported accross CLIs and can cause confusion due to the bytes on disk
+    ('\u{202D}', ""), // not corresponding to the visible source code, so we replace them always.
+    ('\u{202E}', ""),
+    ('\u{2066}', ""),
+    ('\u{2067}', ""),
+    ('\u{2068}', ""),
+    ('\u{202C}', ""),
+    ('\u{2069}', ""),

Is it intentional that (here and elsewhere in the patch) they didn'tinclude all the characters with the Bidi_Control property?


   $ grep -w Bidi_Control /usr/share/unicode/PropList.txt
   061C          ; Bidi_Control # Cf       ARABIC LETTER MARK
   200E..200F    ; Bidi_Control # Cf   [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK
   202A..202E    ; Bidi_Control # Cf   [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE
   2066..2069    ; Bidi_Control # Cf   [4] LEFT-TO-RIGHT ISOLATE..POP DIRECTIONAL ISOLATE

So U+061C, U+200E and U+200F appear to be missing from the patch.

--
Jakub Wilk

Current thread:

CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code Pietro Albini (Oct 31)
- Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code Jakub Wilk (Nov 01)
- Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code Dave Horsfall (Nov 01)