Re: "Trojan Source" and Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Nov 01, 2021 at 11:17:52AM -0400, Matthew Miller wrote:
The latest dramatically-named fancy-website infosec thing is called "Trojan
Source". See https://www.trojansource.codes/ if you want to marvel at the
presentation, complete with ominous hacker hex codes and rolling fog over
dark water.

It's not really a vulnerability in the traditional sense, but the idea that
unicode bidirectional characters can be used to hide code in patches. That
code is invisible to humans when viewed with most software that is just
trying to do its job in formatting unicode correctly, but the code can be
formatted in a way that makes various compilers and interpreters actually do
something meaningful with it.

Many tools and compilers are getting updates to check for this. See for
example this for the Rust compiler: https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

For Fedora:

Pierre-Yves Chibon has scanned dist-git and we've not found any such
suspicious characters in patches or spec files, so we're confident that this
hasn't been used to attack Fedora Linux packages to date. For the future,
there's a new mitigation in pagure which will be deployed soon:
https://pagure.io/pagure/c/8bacd4da4fa6de578b818aa7a4b36bbeaaa243d7?branch=master

This will give a warning if a PR contains bidirectional characters. (These
characters _can_ be used for their intended purpose, after all, so we're not
just blocking them.)

Plus, David Cantrell has rpminspect checks and Nick Clifton is expanding
annobin to check ELF objects.

Code will be merged today for rpminspect and I am going to make new
releases of rpminspect and associated data packages.  rpminspect will
gain a new 'unicode' inspection that will check text files in SRPMs as
well as the %prep'ed source tree(s) used to build to binary RPMs.

And Huzaifa Sidhpurwala helped immensely in coordinating our response.

Thanks everyone for doing this, keeping Fedora safe and trustworthy!

Thanks,

--
David Cantrell <dcantrell@xxxxxxxxxx>
Red Hat, Inc. | Boston, MA | EST5EDT
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux