From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: =?UTF-8?Q?Cl=c3=a9ment_Pit-Claudel?= <cpitclaudel@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: Unicode confusables and reordering characters considered harmful
Date: Tue, 2 Nov 2021 10:43:04 -0400
Message-ID: <8b09eed8-36dd-61f5-2a8f-8525122df98c@gmail.com>
References: <YYE1sEv6yS1bBUcu@odonien.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="7875"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.13.0
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Nov 02 16:08:11 2021
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1mhvOU-0001ku-O4
	for ged-emacs-devel@m.gmane-mx.org; Tue, 02 Nov 2021 16:08:10 +0100
Original-Received: from localhost ([::1]:43184 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1mhvOT-0006oK-0s
	for ged-emacs-devel@m.gmane-mx.org; Tue, 02 Nov 2021 11:08:09 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53324)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cpitclaudel@gmail.com>)
 id 1mhv0I-000850-Ps
 for emacs-devel@gnu.org; Tue, 02 Nov 2021 10:43:10 -0400
Original-Received: from mail-qv1-xf2a.google.com ([2607:f8b0:4864:20::f2a]:36843)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <cpitclaudel@gmail.com>)
 id 1mhv0G-0000kx-Aa
 for emacs-devel@gnu.org; Tue, 02 Nov 2021 10:43:10 -0400
Original-Received: by mail-qv1-xf2a.google.com with SMTP id d6so13426434qvb.3
 for <emacs-devel@gnu.org>; Tue, 02 Nov 2021 07:43:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=subject:to:references:from:message-id:date:user-agent:mime-version
 :in-reply-to:content-language:content-transfer-encoding;
 bh=n5XPydtfbqCcYhvUgR9Hd1tX5AOKKLgUV9jZvBoMsx0=;
 b=R6S6HHParkJ8mw/J/i6vQZhcmaFF5KFLXYrcjR8nyVy1aLm70+R5wsxpYQ+jk5ijoC
 rr8vwfA+h0yXdW0kBJ51bx5WvB7d8kTFmAJYeG3iWTJIu7BUyaBtw+q2CiVQ6DQ8Q2TK
 DdLytdNC1pdJTlMR0PWXS3XdZ2gbN6zfl6U1BGtUB0EB/V2SRmjTLagBamP5m4j4BmLp
 ouuMTFD+ghanjnp9cU3YsFBkbkDocq8e6pX7hu91zr75lFiCy1QxZ69RsXgZyLc+3WWn
 nBBGVkDgCTtyZtcsEjwMFoN5zZYj66fd5fYxB0AV3Z9p9ABcX5g7/IyHm+59TU3X5x6q
 29nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=n5XPydtfbqCcYhvUgR9Hd1tX5AOKKLgUV9jZvBoMsx0=;
 b=Hf6QvG/8gWHZsDLCP1by1+LLZyP/wvO0S5L2GQvQXKogGcMDPH/h3GfKxuCQxCFoOa
 J8aQsmpSp/DfSMk6VBmARXvtpBQIt/73rKyJ0KfHEF2dK54HlxfnoyGzJxTzhL3hhNFS
 s3njL1pTs3pZzaEYpJYiQr5Q6BHAID0lx1xm083d1qUK04grOBT50qp/EJMorz7U40Qc
 bruwxfzIZ9gRNNNcDRQfEGsJzHYclZhpgBfeA+R0kFP3dBtOdRMMFAcQChlgBBbiNzmj
 eNl6HYpUovMyGHB3msqTolub8EiaUl8aC4HcZBS9l9TbdCeBiGQtLBYLclkBZVTpgeTt
 Ythw==
X-Gm-Message-State: AOAM532pMi78E/qW+DqZ/rYUG/CPl4zhKI2QyT3k4xdiNL3FyNVqzRLE
 BY67w1aFM/Ri7y6TVL2WtefEOz+70KU=
X-Google-Smtp-Source: ABdhPJxjLBivzggdX/RZemcMipcN/+DMIM7Y+6KW6LWcxz48S1oBHTIb/LE1/aKgdmd5WHaXqnLqBQ==
X-Received: by 2002:ad4:4e48:: with SMTP id eb8mr26246306qvb.28.1635864186285; 
 Tue, 02 Nov 2021 07:43:06 -0700 (PDT)
Original-Received: from [192.168.1.15] (c-24-61-240-80.hsd1.ma.comcast.net.
 [24.61.240.80])
 by smtp.googlemail.com with ESMTPSA id c14sm856489qtd.97.2021.11.02.07.43.05
 for <emacs-devel@gnu.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 02 Nov 2021 07:43:05 -0700 (PDT)
In-Reply-To: <YYE1sEv6yS1bBUcu@odonien.localdomain>
Content-Language: en-GB
Received-SPF: pass client-ip=2607:f8b0:4864:20::f2a;
 envelope-from=cpitclaudel@gmail.com; helo=mail-qv1-xf2a.google.com
X-Spam_score_int: -45
X-Spam_score: -4.6
X-Spam_bar: ----
X-Spam_report: (-4.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 NICE_REPLY_A=-2.549, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:278490
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/278490>

On 11/2/21 8:57 AM, Vasilij Schneidermann wrote:
> There's a paper going around that demonstrates how two Unicode features
> can be used to trick source code auditors into misinterpreting program
> logic. The authors have suggested that language specifications should be
> amended, implementations should warn or raise errors and editor tooling
> should display visual warnings. Both issues are tracked as
> CVE-2021-42574 and CVE-2021-42694.

There is a good summary of the issue and relevant mitigations at https://research.swtch.com/trojan (it argues against compiler fixes and in favor of IDE enhancements.)