[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Trojan Source Attacks
From:       Jan Engelhardt <jengelh () inai ! de>
Date:       2021-11-02 1:21:58
Message-ID: 4rs9o8oo-3q9s-1276-r921-6r9n436o758 () vanv ! qr
[Download RAW message or body]

On Tuesday 2021-11-02 00:50, Perry E. Metzger wrote:

> On 11/1/21 16:51, Jan Engelhardt wrote:
>>> We have identified an issue affecting all compilers and interpreters that
>>> support Unicode.
>>> [...]
>>> The attached paper describes an attack paradigm -- which we believe to be
>>> novel -- discovered by security researchers at the
>>> University of Cambridge.
>> Not so novel. At one time, this picture made the rounds
>> (https://twitter.com/acronis/status/1019152990022787072 - the pic is likely
>> older than this 2018 tweet), and anyone who knew that Unicode had zero-width
>> characters already made the connection.
>
> If it was known to everyone, then why are so many language interpreters and
> compilers impacted? [...] (Claims that people who write
> compilers are fools will be cheerfully ignored.)

Perhaps a case of "not my problem".

The filesystem layer of many an operating system does not care about filenames.
The only rules, if any, are the special meaning of the hierarchy separator (if
any) and perhaps a string terminator (if any).

Compilers - could be the same thing. As long as the grammar is satisfied,
why should they bother what comes in. ("Write/use better editors and frontends")
[prev in list] [next in list] [prev in thread] [next in thread]