Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 1 Nov 2021 01:01:46 +0100
From: Pietro Albini <pietro@...troalbini.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in
 source code

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The Rust Security Response WG was notified of a security concern affecting
source code containing "bidirectional override" Unicode codepoints: in some
cases the use of those codepoints could lead to the reviewed code being
different than the compiled code.

This is a vulnerability in the Unicode specification, and its assigned
identifier is CVE-2021-42574. While the vulnerability itself is not a rustc
flaw, we're taking proactive measures to mitigate its impact on Rust
developers.

## Overview

Unicode has support for both left-to-right and right-to-left languages, and to
aid writing left-to-right words inside a right-to-left sentence (or vice versa)
it also features invisible codepoints called "bidirectional override".

These codepoints are normally used across the Internet to embed a word inside a
sentence of another language (with a different text direction), but it was
reported to us that they could be used to manipulate how source code is
displayed in some editors and code review tools, leading to the reviewed code
being different than the compiled code. This is especially bad if the whole
team relies on bidirectional-aware tooling.

As an example, the following snippet (with `{U+NNNN}` replaced with the Unicode
codepoint `NNNN`):

```rust
if access_level != "user{U+202E} {U+2066}// Check if admin{U+2069} {U+2066}" {
```

...would be rendered by bidirectional-aware tools as:

```rust
if access_level != "user" { // Check if admin
```

## Affected Versions

Rust 1.56.1 introduces two new lints to detect and reject code containing the
affected codepoints. Rust 1.0.0 through Rust 1.56.0 do not include such lints,
leaving your source code vulnerable to this attack if you do not perform
out-of-band checks for the presence of those codepoints.

To assess the security of the ecosystem we analyzed all crate versions ever
published on crates.io (as of 2021-10-17), and only 5 crates have the affected
codepoints in their source code, with none of the occurrences being malicious.

## Mitigations

We will be releasing Rust 1.56.1 today, 2021-11-01, with two new
deny-by-default lints detecting the affected codepoints, respectively in string
literals and in comments. The lints will prevent source code files containing
those codepoints from being compiled, protecting you from the attack.

If your code has legitimate uses for the codepoints we recommend replacing them
with the related escape sequence. The error messages will suggest the right
escapes to use.

If you can't upgrade your compiler version, or your codebase also includes
non-Rust source code files, we recommend periodically checking that the
following codepoints are not present in your repository and your dependencies:
U+202A, U+202B, U+202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069.

## Timeline of events

* 2021-07-25: we received the report and started working on a fix.
* 2021-09-14: the date for the embargo lift (2021-11-01) is communicated to us.
* 2021-10-17: performed an analysis of all the source code ever published to
   crates.io to check for the presence of this attack.
* 2021-11-01: embargo lifts, the vulnerability is disclosed and Rust 1.56.1 is
   released.

## Acknowledgments

Thanks to Nicholas Boucher [1] and Ross Anderson [2] from the University of
Cambridge for disclosing this to us according to our security policy [3]!

We also want to thank the members of the Rust project who contributed to the
mitigations for this issue. Thanks to Esteban K├╝ber for developing the lints,
Pietro Albini for leading the security response, and many others for their
involvement, insights and feedback: Josh Stone, Josh Triplett, Manish
Goregaokar, Mara Bos, Mark Rousskov, Niko Matsakis, and Steve Klabnik.

## Appendix: Homoglyph attacks

As part of their research, Nicholas Boucher and Ross Anderson also uncovered a
similar security issue identified as CVE-2021-42694 involving homoglyphs inside
identifiers. Rust already includes mitigations for that attack since Rust
1.53.0. Rust 1.0.0 through Rust 1.52.1 is not affected due to the lack of
support for non-ASCII identifiers in those releases.

[1] https://github.com/nickboucher
[2] https://www.cl.cam.ac.uk/~rja14
[3] https://www.rust-lang.org/policies/security
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAmF+hJkACgkQ77mGCudS
DaxljBAAtBlcz3g8h8lZvzOfOb8zRNfgw7mvBxr1fNyjNkV6n/xJA5yO6DC7K5ra
qqHXVdn7yfN5PvCBB7+vqQMDbM3X+m0Ui1eSIW09hGuyqBEc2+3UXlcWe0RVFBjT
ZiGb0TvHqaCZT9z+fRWtkbUia/vnZfTfJkQ0Xj4SE325I0k3uimBpJ+jZFLl98kR
1fnQtDkPQHK+VG5PdlYrZiGB+CibwlJWSqi7qyedPE7BVyFxSn2fHuFmQ4rUpBQc
fAMWI83B+HuQ650vJY2mGCq2qedsTaUDK9S9oF+7pl7FtSjlsBdmJ9ikGB1FFlVP
/6l0DZBRx2o3dp0KlD7k/MsXWZdo2Wg3wRamCltA/9f+uZBxLsdwJ+z1mvZB+wah
jDkrDMOXdacZA5Yr69swY5UnTDyM5oZixT6LQTDCTQTBGMOLFsWTc3kNk7v4r+vj
CR6pVj/2+jqy3hI/IrAWm129KVpyp8XM4KQbMenOBN32eBbDOtIZBn7cjqizfamU
mP5dvUaIfUzOkHcr1Bcx5WJSSTgON8pVTb6AsreCY7rSG2fiHT2beb6W5yZFhdm2
vWefxdcsL/h5WF0NHO5Hgj5o5a29sCpKOuSLfyW6GsA8waSRPkZBs2YWyzidhFr3
A9hmwxWAyDQv8NZZcThepdMjFT8zoDq6cb/aDX28OOjIfJAFQWQ=
=IsMc
-----END PGP SIGNATURE-----

View attachment "rust-1.56.0-fix.patch" of type "text/x-patch" (34016 bytes)

View attachment "rust-1.56.0-fix.patch.asc" of type "text/plain" (833 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.