On Mon, Nov 01, 2021 at 11:17:52AM -0400, Matthew Miller wrote:
The latest dramatically-named fancy-website infosec thing is called "Trojan Source". See https://www.trojansource.codes/ if you want to marvel at the presentation, complete with ominous hacker hex codes and rolling fog over dark water. It's not really a vulnerability in the traditional sense, but the idea that unicode bidirectional characters can be used to hide code in patches. That code is invisible to humans when viewed with most software that is just trying to do its job in formatting unicode correctly, but the code can be formatted in a way that makes various compilers and interpreters actually do something meaningful with it. Many tools and compilers are getting updates to check for this. See for example this for the Rust compiler: https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html For Fedora: Pierre-Yves Chibon has scanned dist-git and we've not found any such suspicious characters in patches or spec files, so we're confident that this hasn't been used to attack Fedora Linux packages to date. For the future, there's a new mitigation in pagure which will be deployed soon: https://pagure.io/pagure/c/8bacd4da4fa6de578b818aa7a4b36bbeaaa243d7?branch=master This will give a warning if a PR contains bidirectional characters. (These characters _can_ be used for their intended purpose, after all, so we're not just blocking them.) Plus, David Cantrell has rpminspect checks and Nick Clifton is expanding annobin to check ELF objects.
Code will be merged today for rpminspect and I am going to make new releases of rpminspect and associated data packages. rpminspect will gain a new 'unicode' inspection that will check text files in SRPMs as well as the %prep'ed source tree(s) used to build to binary RPMs.
And Huzaifa Sidhpurwala helped immensely in coordinating our response. Thanks everyone for doing this, keeping Fedora safe and trustworthy!
Thanks, -- David Cantrell <dcantrell@xxxxxxxxxx> Red Hat, Inc. | Boston, MA | EST5EDT _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
