[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Trojan Source Attacks
From:       Stuart D Gathman <stuart () gathman ! org>
Date:       2021-11-02 20:52:33
Message-ID: cb5b46fd-8e2c-2638-c23-f557483c6fa () gathman ! org
[Download RAW message or body]

On Mon, 1 Nov 2021, Nicholas Boucher wrote:

> The first and primary technique, which we dub the Trojan Source attack, uses
> Unicode Bidirectional (Bidi) control characters embedded in comments and
> string literals to produce visually deceptive source code files. This
> technique enables an adversary to encode constructs that visually appear to
> be comments or string literals but execute as code, or vice versa. Complete
> details, as well as recommended mitigations, can be found in the attachment
> 001 Trojan Source.pdf. This vulnerability is tracked under CVE-2021-42574.

Syntax coloring thus becomes a critical security tool.  And bugs in
syntax coloring for an editor/viewer should be consider security flaws
and reported on oss-security.
[prev in list] [next in list] [prev in thread] [next in thread]