The latest dramatically-named fancy-website infosec thing is called "Trojan Source". See https://www.trojansource.codes/ if you want to marvel at the presentation, complete with ominous hacker hex codes and rolling fog over dark water. It's not really a vulnerability in the traditional sense, but the idea that unicode bidirectional characters can be used to hide code in patches. That code is invisible to humans when viewed with most software that is just trying to do its job in formatting unicode correctly, but the code can be formatted in a way that makes various compilers and interpreters actually do something meaningful with it. Many tools and compilers are getting updates to check for this. See for example this for the Rust compiler: https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html For Fedora: Pierre-Yves Chibon has scanned dist-git and we've not found any such suspicious characters in patches or spec files, so we're confident that this hasn't been used to attack Fedora Linux packages to date. For the future, there's a new mitigation in pagure which will be deployed soon: https://pagure.io/pagure/c/8bacd4da4fa6de578b818aa7a4b36bbeaaa243d7?branch=master This will give a warning if a PR contains bidirectional characters. (These characters _can_ be used for their intended purpose, after all, so we're not just blocking them.) Plus, David Cantrell has rpminspect checks and Nick Clifton is expanding annobin to check ELF objects. And Huzaifa Sidhpurwala helped immensely in coordinating our response. Thanks everyone for doing this, keeping Fedora safe and trustworthy! -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
