Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 2 Nov 2021 02:21:58 +0100 (CET)
From: Jan Engelhardt <jengelh@...i.de>
To: "Perry E. Metzger" <perry@...rmont.com>
cc: oss-security@...ts.openwall.com
Subject: Re: Trojan Source Attacks

On Tuesday 2021-11-02 00:50, Perry E. Metzger wrote:

> On 11/1/21 16:51, Jan Engelhardt wrote:
>>> We have identified an issue affecting all compilers and interpreters that
>>> support Unicode.
>>> [...]
>>> The attached paper describes an attack paradigm -- which we believe to be
>>> novel -- discovered by security researchers at the
>>> University of Cambridge.
>> Not so novel. At one time, this picture made the rounds
>> (https://twitter.com/acronis/status/1019152990022787072 - the pic is likely
>> older than this 2018 tweet), and anyone who knew that Unicode had zero-width
>> characters already made the connection.
>
> If it was known to everyone, then why are so many language interpreters and
> compilers impacted? [...] (Claims that people who write
> compilers are fools will be cheerfully ignored.)

Perhaps a case of "not my problem".

The filesystem layer of many an operating system does not care about filenames.
The only rules, if any, are the special meaning of the hierarchy separator (if
any) and perhaps a string terminator (if any).

Compilers - could be the same thing. As long as the grammar is satisfied,
why should they bother what comes in. ("Write/use better editors and frontends")

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.