oss-sec mailing list archives
Re: Trojan Source Attacks
From: Jan Engelhardt <jengelh () inai de>
Date: Tue, 2 Nov 2021 02:21:58 +0100 (CET)
On Tuesday 2021-11-02 00:50, Perry E. Metzger wrote:
On 11/1/21 16:51, Jan Engelhardt wrote:We have identified an issue affecting all compilers and interpreters that support Unicode. [...] The attached paper describes an attack paradigm -- which we believe to be novel -- discovered by security researchers at the University of Cambridge.Not so novel. At one time, this picture made the rounds (https://twitter.com/acronis/status/1019152990022787072 - the pic is likely older than this 2018 tweet), and anyone who knew that Unicode had zero-width characters already made the connection.If it was known to everyone, then why are so many language interpreters and compilers impacted? [...] (Claims that people who write compilers are fools will be cheerfully ignored.)
Perhaps a case of "not my problem".
The filesystem layer of many an operating system does not care about filenames.
The only rules, if any, are the special meaning of the hierarchy separator (if
any) and perhaps a string terminator (if any).
Compilers - could be the same thing. As long as the grammar is satisfied,
why should they bother what comes in. ("Write/use better editors and frontends")
Current thread:
- Trojan Source Attacks Nicholas Boucher (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Siddhesh Poyarekar (Nov 01)
- Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
- Re: Trojan Source Attacks Seth Arnold (Nov 02)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Santiago Torres (Nov 01)
- Re: Trojan Source Attacks Josh Bressers (Nov 02)
- Re: Trojan Source Attacks David A. Wheeler (Nov 02)
- Re: Trojan Source Attacks Michael Orlitzky (Nov 02)