From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id SLYHMQnQf2HBWAAAgWs5BA (envelope-from ) for ; Mon, 01 Nov 2021 12:31:21 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id MGCxLAnQf2GKawAAbx9fmQ (envelope-from ) for ; Mon, 01 Nov 2021 11:31:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 889C6DBEC for ; Mon, 1 Nov 2021 12:31:21 +0100 (CET) Received: from localhost ([::1]:44670 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhVX6-0006WL-Dt for larch@yhetil.org; Mon, 01 Nov 2021 07:31:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50084) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhVWu-0006WA-D1 for guix-devel@gnu.org; Mon, 01 Nov 2021 07:31:08 -0400 Received: from ns13.heimat.it ([46.4.214.66]:54978) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhVWq-0006IC-BZ for guix-devel@gnu.org; Mon, 01 Nov 2021 07:31:08 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 2B9603021BA for ; Mon, 1 Nov 2021 11:31:00 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JphRXYoeh4LG for ; Mon, 1 Nov 2021 11:30:40 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.162.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 09F0F3021B8 for ; Mon, 1 Nov 2021 11:30:40 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 7E03A1467424 for ; Mon, 1 Nov 2021 12:30:39 +0100 (CET) Received: (nullmailer pid 24281 invoked by uid 1000); Mon, 01 Nov 2021 11:30:39 -0000 From: Giovanni Biscuolo To: guix-devel@gnu.org Subject: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint' help someway? Organization: Xelera.eu Date: Mon, 01 Nov 2021 12:30:38 +0100 Message-ID: <87fssgi04h.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu; helo=ns13.heimat.it X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635766281; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=WnKzuCxxWgVBxQ4pAKrSoUFDI7wY9AOA+M+k9SKJdw8=; b=WS4PuIuoV6TyLU1loeEfqxnC15Lk6neMS79H4V52CYKud+e6a7jwOtjeodR9mpqP3jxbn4 19b8nqNuG/oYKYCAM4/GT9B0zKAHIuiGNAL3n6sEQKAT2V2Py0U86DYOGHJFlQUPQJrdtU RpMoo1E+ofnKXBIRirkVQpEvH5MThf9zgNmqhL8S6EmGFUxgCchPNrh72Gc96qhbIJjbLf FQZ+o15yRgQWFk7C+8HBS5AGWafSeJZaxhjdxhG2OOzP0ZHKBMaLBWRBCmfy3/NFm50Mu4 ewlponkfdNV3NYrPQ9eCNynjmPUcH52eqHbFZs8aY8Bp9cZ7NK7KvpMcMuxS4w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635766281; a=rsa-sha256; cv=none; b=adopFWdYa1W6sDxyHA02Qg6e+W1n+6OBAVBYKzqstMqeX1KurO+msnexA/ZxHXObe7bXfA 0H/acnp3DK0bRv3SCUKQe7opGQzzyqbxPYcghECDdfsONt/1GB9ywLZIo1xD/dov9/M9Zk s8+JFj39znuNdtJPRgPVH7pMe1/40nn2EKgWpPF79xj8H3naUiM9PdzudjcaTvjvQKfzGT /eJjsq4MlDgg2a4lgFsPQh0dbjcl1DKUVScmS8XpNFJgFP3xNgt1pCbPwrG27+o1e7k5c/ mEWAz4BkBBPQ1VNiMJtZJEpuvuJ8m5WiNhyPSstbG7eShxecpVq/6gmUrTJAeQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.02 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 889C6DBEC X-Spam-Score: -1.02 X-Migadu-Scanner: scn0.migadu.com X-TUID: SK2OJbqTlmOe --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, as probably many of you have discovered, today was announced two new vulnerabilities that exploits the "bidirectional override" Unicode codepoints feature, making it possible to hide malicious source code in comments and literal strings /if/ the code review tool (e.g. editor) does not show this. The details are published here: https://www.trojansource.codes/ Also see related CVEs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021-42574 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021-42694 I know that mitigations and patching of compilers and interpreters must be done upstream and not much can be done by Guix, but I'm asking /if/ Guix could help code reviewers enhancing its lint function. For example, the Rust security advisory for rustc [1] states: =2D-8<---------------cut here---------------start------------->8--- ## Mitigations=20 [...] If you can't upgrade your compiler version, or your codebase also includes non-Rust source code files, we recommend periodically checking that the following codepoints are not present in your repository and your dependencies: U+202A, U+202B, U+202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069. ## Timeline of events=20 * 2021-07-25: we received the report and started working on a fix.=20 * 2021-09-14: the date for the embargo lift (2021-11-01) is communicated to= us.=20 * 2021-10-17: performed an analysis of all the source code ever published t= o=20 crates.io to check for the presence of this attack.=20 * 2021-11-01: embargo lifts, the vulnerability is disclosed and Rust 1.56.1= is=20 released.=20 =2D-8<---------------cut here---------------end--------------->8--- Is there a way for "guix lint" to check for the listed (other?) "dangerous" codepoints and warn code reviewers? Is it possible for the Guix community to start a coordinated effort to analyze all the source code (ever?!?) published in out git repo to check for the presence of this attack? AFAIU there is not much Guix can do for the "Homoglyph attacks" (CVE-2021-42694). WDYT? Happi hacking! Gio' [1] https://www.openwall.com/lists/oss-security/2021/11/01/1 =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmF/z94MHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSyiIQALHs+h6YvQsBT85SZ/pRcsnrhUPOGWGb0Rgii9+D tyZhCSh7oZBiI3M9N6P10kDmPc+iEHcIA7IesU0w15gm/tB4rSUbbRefSxAp8hap BLGyISNKvHxH1FdMiRQmYYAabeYl7GpkvyAn1/aKFxy/Ct7fRsv+I0peU0jmsBOq GsDvD+oaa9CxW4AVOIp2IBZ8w0t2yUGiRqN8bQ0q3tZPoX1YL72/VSyK+9MFp9TJ rP0cjYSlRCRTaWXKwPUoAfhURkUR5c5F9odNWwcVkGIEOylWaSgX5NVW2PLmj0j1 8cVAaJlUj/tO9v6/BF7F4QS6b9Rcj+DYL6J3RiFPr/11Cde1OlObj4VKKWHI62r2 n9R9w9e5KHcLUJ5IyzgpJoHA7/rNMq67iHo9nNtpGYPq3j+G0Qy5hmMrwjlf5/G0 2c+BYoboeXdcZuBHTA/g1Zj/BdZFs4yUIx31UzsI1WVnVA+hOC8MQ/1g5jaoIGka TmvfnTd3lEkOAGBe42RG8gfzluPszOwUxCMKfHy5xTzykr5vjWFeMe4wU0dmVbsm onwBmf14uSlNc9spzV7NZKxEYnUbj+4/VyDW3HZ9/2kBKhIaBPKxhefcyGhwe+aC +kOgucduva73vhvQ9Ikx70DIpyxY33Ty8F+Z/AeKTN5qQslrjSDgeGm2Vm0SNFRy yfC/ =Gcl3 -----END PGP SIGNATURE----- --=-=-=--