From: Vasilij Schneidermann <mail@vasilij.de>
To: emacs-devel@gnu.org
Subject: Unicode confusables and reordering characters considered harmful
Date: Tue, 2 Nov 2021 13:57:20 +0100 [thread overview]
Message-ID: <YYE1sEv6yS1bBUcu@odonien.localdomain> (raw)
[-- Attachment #1: Type: text/plain, Size: 1582 bytes --]
There's a paper going around that demonstrates how two Unicode features
can be used to trick source code auditors into misinterpreting program
logic. The authors have suggested that language specifications should be
amended, implementations should warn or raise errors and editor tooling
should display visual warnings. Both issues are tracked as
CVE-2021-42574 and CVE-2021-42694.
The first issue is about bidirectional reordering characters. If bidi
text rendering is not needed, it's easy enough to work around with
`(setq-default bidi-display-reordering nil)`. Some people already make
use of this to speed up redisplay. Maybe there's a better solution, such
as automatically detecting whether the user is working with a RTL script
and only then enable bidi text rendering.
The second issue is about mixed-script confusable characters. Emacs does
not appear to have a workaround for that. I've come across the
uni-confusables package in GNU ELPA, but it merely sets up character
tables. The only mention of confusables I can find in the Emacs sources
is for `help-uni-confusables` which contains a much smaller list for
quotation marks, used in help buffers and elisp buffers. A
possible solution would be to implement the Unicode confusables
algorithm and expose it in the uni-confusables package.
Vasilij
https://trojansource.codes/
https://www.trojansource.codes/trojan-source.pdf
https://github.com/nickboucher/trojan-source
https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/
https://unicode.org/reports/tr39/#Confusable_Detection
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next reply other threads:[~2021-11-02 12:57 UTC|newest]
Thread overview: 172+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-02 12:57 Vasilij Schneidermann [this message]
2021-11-02 13:18 ` Unicode confusables and reordering characters considered harmful Po Lu
2021-11-02 13:54 ` Uwe Brauer
2021-11-02 14:53 ` Eli Zaretskii
2021-11-02 15:16 ` Eli Zaretskii
2021-11-02 15:21 ` Uwe Brauer
2021-11-02 16:24 ` Clément Pit-Claudel
2021-11-02 16:47 ` Eli Zaretskii
2021-11-02 17:01 ` Stefan Kangas
2021-11-02 17:10 ` Eli Zaretskii
2021-11-02 18:43 ` Stefan Kangas
2021-11-02 18:49 ` Eli Zaretskii
2021-11-02 19:12 ` Stefan Monnier
2021-11-02 19:36 ` Eli Zaretskii
2021-11-02 19:47 ` Stefan Monnier
2021-11-02 19:51 ` Eli Zaretskii
2021-11-02 21:28 ` Unicode confusables and reordering characters considered harmful, a simple solution Daniel Brooks
2021-11-03 13:30 ` Eli Zaretskii
2021-11-03 17:41 ` Yuri Khan
2021-11-03 17:56 ` Eli Zaretskii
2021-11-03 18:20 ` Juri Linkov
2021-11-03 19:02 ` Gregory Heytings
2021-11-03 19:46 ` Eli Zaretskii
2021-11-03 19:58 ` Yuri Khan
2021-11-03 20:21 ` Gregory Heytings
2021-11-03 20:31 ` Eli Zaretskii
2021-11-03 21:16 ` Gregory Heytings
2021-11-04 7:16 ` Eli Zaretskii
2021-11-04 9:06 ` Gregory Heytings
2021-11-04 9:19 ` Eli Zaretskii
2021-11-04 9:48 ` Eli Zaretskii
2021-11-04 8:44 ` Juri Linkov
2021-11-03 18:45 ` Yuri Khan
2021-11-03 19:09 ` Eli Zaretskii
2021-11-03 19:35 ` Yuri Khan
2021-11-03 20:01 ` Eli Zaretskii
2021-11-03 20:45 ` Gregory Heytings
2021-11-03 20:53 ` Eli Zaretskii
2021-11-03 21:23 ` Gregory Heytings
2021-11-04 6:58 ` Eli Zaretskii
2021-11-04 8:53 ` Gregory Heytings
2021-11-04 9:15 ` Eli Zaretskii
2021-11-03 19:54 ` Daniel Brooks
2021-11-03 20:08 ` Eli Zaretskii
2021-11-04 6:00 ` Daniel Brooks
2021-11-04 7:44 ` Eli Zaretskii
2021-11-04 9:14 ` Gregory Heytings
2021-11-04 9:45 ` Eli Zaretskii
2021-11-04 10:41 ` Gregory Heytings
2021-11-04 11:03 ` Po Lu
2021-11-04 11:27 ` Gregory Heytings
2021-11-04 11:20 ` Eli Zaretskii
2021-11-04 11:34 ` Gregory Heytings
2021-11-04 13:25 ` Eli Zaretskii
2021-11-04 14:10 ` Gregory Heytings
2021-11-04 16:50 ` Eli Zaretskii
2021-11-04 17:04 ` Gregory Heytings
2021-11-04 19:16 ` Stefan Monnier
2021-11-05 23:31 ` Gregory Heytings
2021-11-06 7:25 ` Eli Zaretskii
2021-11-04 19:22 ` Stefan Monnier
2021-11-04 19:55 ` Eli Zaretskii
2021-11-05 23:32 ` Gregory Heytings
2021-11-04 19:08 ` Eli Zaretskii
2021-11-04 20:00 ` Eli Zaretskii
2021-11-05 2:23 ` Daniel Brooks
2021-11-05 3:52 ` Stefan Kangas
2021-11-05 5:21 ` code annotations Daniel Brooks
2021-11-05 5:53 ` Stefan Kangas
2021-11-05 5:23 ` Unicode confusables and reordering characters considered harmful, a simple solution Daniel Brooks
2021-11-05 6:13 ` Po Lu
2021-11-05 7:37 ` Eli Zaretskii
2021-11-05 8:00 ` Stefan Kangas
2021-11-05 8:07 ` Eli Zaretskii
2021-11-05 9:58 ` Stefan Kangas
2021-11-05 12:12 ` Eli Zaretskii
2021-11-05 13:08 ` Stefan Kangas
2021-11-05 14:19 ` Eli Zaretskii
2021-11-05 23:33 ` Gregory Heytings
2021-11-06 0:54 ` Daniel Brooks
2021-11-06 10:56 ` Eli Zaretskii
2021-11-06 10:48 ` Eli Zaretskii
2021-11-08 19:58 ` Gregory Heytings
2021-11-08 20:27 ` Eli Zaretskii
2021-11-08 21:59 ` Stefan Monnier
2021-11-09 3:28 ` Eli Zaretskii
2021-11-06 13:58 ` Benjamin Riefenstahl
2021-11-06 15:34 ` Eli Zaretskii
2021-11-06 17:09 ` Benjamin Riefenstahl
2021-11-06 17:35 ` Eli Zaretskii
2021-11-05 8:09 ` tomas
2021-11-06 1:09 ` Daniel Brooks
2021-11-05 8:31 ` Eli Zaretskii
2021-11-05 9:34 ` Juri Linkov
2021-11-04 19:05 ` Stefan Monnier
2021-11-03 21:13 ` Daniel Brooks
2021-11-04 6:52 ` Eli Zaretskii
2021-11-02 20:18 ` Unicode confusables and reordering characters considered harmful Tim Cross
2021-11-03 0:28 ` Gregory Heytings
2021-11-03 1:07 ` Stefan Monnier
2021-11-03 1:59 ` Daniel Brooks
2021-11-03 13:35 ` Eli Zaretskii
2021-11-03 9:59 ` Gregory Heytings
2021-11-03 11:19 ` Stefan Kangas
2021-11-03 11:31 ` Gregory Heytings
2021-11-03 12:20 ` Stefan Monnier
2021-11-03 12:41 ` tomas
2021-11-03 13:15 ` Eli Zaretskii
2021-11-03 14:46 ` tomas
2021-11-03 17:13 ` Eli Zaretskii
2021-11-03 17:34 ` tomas
2021-11-03 13:46 ` Eli Zaretskii
2021-11-03 13:45 ` Eli Zaretskii
2021-11-03 13:44 ` Eli Zaretskii
2021-11-03 14:29 ` Gregory Heytings
2021-11-03 14:37 ` Eli Zaretskii
2021-11-03 16:01 ` Gregory Heytings
2021-11-03 17:44 ` Eli Zaretskii
2021-11-03 17:53 ` Gregory Heytings
2021-11-03 11:29 ` Andreas Schwab
2021-11-03 18:47 ` Stefan Monnier
2021-11-03 18:52 ` Yuri Khan
2021-11-03 19:19 ` Stefan Monnier
2021-11-03 19:28 ` Gregory Heytings
2021-11-03 19:32 ` Stefan Monnier
2021-11-03 19:41 ` Yuri Khan
2021-11-03 20:12 ` Gregory Heytings
2021-11-03 22:03 ` Gregory Heytings
2021-11-04 8:50 ` Gregory Heytings
2021-11-03 19:51 ` Eli Zaretskii
2021-11-03 19:30 ` Eli Zaretskii
2021-11-03 19:34 ` Andreas Schwab
2021-11-03 19:54 ` Eli Zaretskii
2021-11-03 13:37 ` Eli Zaretskii
2021-11-03 18:53 ` Manuel Giraud
2021-11-03 19:36 ` Eli Zaretskii
2021-11-03 21:15 ` Manuel Giraud
2021-11-04 6:56 ` Eli Zaretskii
2021-11-04 19:04 ` Eli Zaretskii
2021-11-03 13:33 ` Eli Zaretskii
2021-11-03 13:31 ` Eli Zaretskii
2021-11-02 19:26 ` Stefan Kangas
2021-11-02 19:44 ` Eli Zaretskii
2021-11-02 19:49 ` Stefan Monnier
2021-11-02 18:16 ` Clément Pit-Claudel
2021-11-02 18:37 ` Eli Zaretskii
2021-11-02 19:17 ` Yuri Khan
2021-11-02 19:37 ` Eli Zaretskii
2021-11-02 17:24 ` [authors: default bidi-display-reordering is set to t] (was: Unicode confusables and reordering characters considered harmful) Uwe Brauer
2021-11-02 17:37 ` Eli Zaretskii
2021-11-02 14:31 ` Unicode confusables and reordering characters considered harmful Eli Zaretskii
2021-11-02 15:13 ` Uwe Brauer
2021-11-02 13:42 ` tomas
2021-11-02 14:57 ` Stefan Kangas
2021-11-02 14:30 ` Eli Zaretskii
2021-11-02 14:43 ` Clément Pit-Claudel
2021-11-03 15:07 ` Reini Urban
2021-11-03 15:43 ` Stefan Monnier
2021-11-04 7:50 ` Reini Urban
2021-11-04 8:21 ` Eli Zaretskii
2021-11-03 17:24 ` Eli Zaretskii
2021-11-02 14:57 ` Stefan Kangas
2021-11-05 18:53 ` Unicode confusables " Vasilij Schneidermann
2021-11-05 20:03 ` Eli Zaretskii
2021-11-06 11:56 ` Vasilij Schneidermann
2021-11-06 12:20 ` Eli Zaretskii
2021-11-06 13:10 ` Vasilij Schneidermann
2021-11-06 13:29 ` Eli Zaretskii
2021-11-05 21:36 ` Stefan Monnier
2021-11-10 15:47 ` Unicode confusables and reordering characters " Dmitry Gutov
2021-11-10 17:03 ` Eli Zaretskii
2021-11-10 17:15 ` Dmitry Gutov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YYE1sEv6yS1bBUcu@odonien.localdomain \
--to=mail@vasilij.de \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).