From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id aMpTH+rtf2FFoQAAgWs5BA (envelope-from ) for ; Mon, 01 Nov 2021 14:38:50 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id KLACG+rtf2GaFwAAB5/wlQ (envelope-from ) for ; Mon, 01 Nov 2021 13:38:50 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 38DF122653 for ; Mon, 1 Nov 2021 14:38:50 +0100 (CET) Received: from localhost ([::1]:57774 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhXWT-0003Ts-EW for larch@yhetil.org; Mon, 01 Nov 2021 09:38:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60806) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhXWJ-0003Tj-KV for guix-devel@gnu.org; Mon, 01 Nov 2021 09:38:39 -0400 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:33493) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhXWH-0001H4-Gs for guix-devel@gnu.org; Mon, 01 Nov 2021 09:38:39 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 75F0432019BD; Mon, 1 Nov 2021 09:38:32 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Mon, 01 Nov 2021 09:38:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=7L6F4k5VsS4RhmHt3aIcbP87+kk2W9Z2e4E8BO2OC7g=; b=KoVU1Hg3Uu3Z Mn84F/j3yUKezbtjAkpnDK25q/veFPbAY2q89bSAcsxOrDXggYG0CrRq8VLKf4lu 8v+vt0vfmmDeacOVSUedgYwuU7KE/xFeNtRcUn9S5eYAZ2O/xloPGn/Xu/yDPUzh O6FQ9+MqQYefEOYDT33VgvUWaltJFRM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=7L6F4k5VsS4RhmHt3aIcbP87+kk2W9Z2e4E8BO2OC 7g=; b=ankJy2rnEduOfNp4YV+8Nu89RuT2KNlNPDf4hc9G/Iehm5vtCiuhy2zEf EtNKhFshu9l1wpxmXZ4Of4xPrPJfWMmvyxfXSNREQOIgWaEykwoo9f/WcLDc1gxz mGsryRLiUdVL6l4AEr5rKjnD9L9RaPgHldqYDzSeOpLUbcX9bnQL1KLMu1RLn9TG V+VbtXM6aRaoQKT+h4sb1CpjkvIuQ2iK/RCUR6VE8sdjoTQpbGucN2tqe5hEYaEd Bvh60JTx1R8K1qj+bSzBiKkP6EjBEzQduvVZtHlZO9GjQPuAyrNbzrid1xdnfaMf 2pxDG7wGlXfD/JbtNZw4S4NlDvFkQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvdehvddgheefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggugfgjsehtke ertddttdejnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeegjeeggeehtddugfffuddtvdfffe ffjeekffffveffheegvddvuedtffekjeejjeenucevlhhushhtvghrufhiiigvpedtnecu rfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 1 Nov 2021 09:38:31 -0400 (EDT) Date: Mon, 1 Nov 2021 09:38:28 -0400 From: Leo Famulari To: Giovanni Biscuolo Subject: Re: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint' help someway? Message-ID: References: <87fssgi04h.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87fssgi04h.fsf@xelera.eu> Received-SPF: pass client-ip=64.147.123.21; envelope-from=leo@famulari.name; helo=wout5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635773930; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=7L6F4k5VsS4RhmHt3aIcbP87+kk2W9Z2e4E8BO2OC7g=; b=LoLUuKlPydwVAf2m8dFTv+k0BQGQuPu1W9fjdlZyBNOS18Iww6CF2J/1rtJk0BnILfFLVM 5pAcXXC4ctrJ8XhKLXfEghGCc8//oPnOaUcLz1zxhCrcBKtBRK/o6pG2UkJ3Gl6VGLbFhS 8/ZeINrpBuDKypZ4quRAl1lDk3rR5eGa06qnvCjSoG9XWq6/qIo/EIKGpQ56SXh/o56swS q8bJNw4l4wOm6H2CYg6f6QloRk9pDMdFTGvAE+NG24f15GO1L7pagBTsA5I6BBAaGeTLq5 /8C0Fz+YU97L8OSRyxvKuH02Od8e7ar5QZMjKL2Hr4pyd10ccfZ4er06akQs/g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635773930; a=rsa-sha256; cv=none; b=Wj4Hi8ZQIDStByQGIdmXSdvkeDnDnTbIOjWwvc0J7gkAuUhlx55L51e1e7QBDECCcCJAlv TT3TlO/Da1p7hog/s++EyyZg6jc+0l+aeqDL0b6MslZPKNIlvSRmBzK06rJOPo3MP3wQSk 8dkVmQjJSkt3Lnp4iN+DnzpzqFvgFq3NDTI2km407nuncY9gwZYWwayCyzeorpe3BslRqw 0wAQNVKO7gPFH8s0MFOVf3wEDx2ozlvxFIDeNDoP26h8IyQ2zMTy6BKLtGFc6ug6BqZ+Re 8a+ZHy3/2zHhYWK6WdMWNqMolTs8/9U4aZ1Y4iQNp2aOqe6F05CdSZYEfx3Mog== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b=KoVU1Hg3; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=ankJy2rn; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.62 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b=KoVU1Hg3; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=ankJy2rn; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 38DF122653 X-Spam-Score: -1.62 X-Migadu-Scanner: scn0.migadu.com X-TUID: wrZefaoXanK/ On Mon, Nov 01, 2021 at 12:30:38PM +0100, Giovanni Biscuolo wrote: > as probably many of you have discovered, today was announced two new > vulnerabilities that exploits the "bidirectional override" Unicode > codepoints feature, making it possible to hide malicious source code in > comments and literal strings /if/ the code review tool (e.g. editor) > does not show this. We need to check our own Git repository history for the tricky codepoints. > Is there a way for "guix lint" to check for the listed (other?) > "dangerous" codepoints and warn code reviewers? Yeah, we could implement this. It might be expensive but one has to unpack the source code anyways. However, I think that this attack is, in general, not within the scope of Guix's security model, because: 1) Guix implicitly trusts the source code that it fetches from upstream. 2) Guix explicitly fetches the source code from upstream — Guix committers do not provide a copy of the upstream code (of unprovable provenance) as they do in other distros. If an attacker can make malicious modifications to the code distributed by an upstream project, it's not relevant to Guix if they use homoglyphs or a buffer overflow. Guix developers do not inspect upstream source code for vulnerabilities. What do others think?