oss-sec mailing list archives

Re: Trojan Source Attacks

From: Stuart D Gathman <stuart () gathman org>
Date: Tue, 2 Nov 2021 16:52:33 -0400 (EDT)

On Mon, 1 Nov 2021, Nicholas Boucher wrote:

The first and primary technique, which we dub the Trojan Source attack, uses
Unicode Bidirectional (Bidi) control characters embedded in comments and
string literals to produce visually deceptive source code files. This
technique enables an adversary to encode constructs that visually appear to
be comments or string literals but execute as code, or vice versa. Complete
details, as well as recommended mitigations, can be found in the attachment
001 Trojan Source.pdf. This vulnerability is tracked under CVE-2021-42574.


Syntax coloring thus becomes a critical security tool.  And bugs in
syntax coloring for an editor/viewer should be consider security flaws
and reported on oss-security.

Current thread:

Re: Trojan Source Attacks, (continued)
- - Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
    - Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
    - Re: Trojan Source Attacks Siddhesh Poyarekar (Nov 01)
    - Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
    - Re: Trojan Source Attacks Seth Arnold (Nov 02)
  - Re: Trojan Source Attacks Santiago Torres (Nov 01)
- Re: Trojan Source Attacks David A. Wheeler (Nov 02)
  - Re: Trojan Source Attacks Josh Bressers (Nov 02)
    - Re: Trojan Source Attacks David A. Wheeler (Nov 02)
    - Re: Trojan Source Attacks Michael Orlitzky (Nov 02)
- Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
- Re: Trojan Source Attacks Georgi Guninski (Nov 04)
  - Re: Trojan Source Attacks Leonid Isaev (ifax) (Nov 04)