|
Message-ID: <4rs9o8oo-3q9s-1276-r921-6r9n436o758@vanv.qr> Date: Tue, 2 Nov 2021 02:21:58 +0100 (CET) From: Jan Engelhardt <jengelh@...i.de> To: "Perry E. Metzger" <perry@...rmont.com> cc: oss-security@...ts.openwall.com Subject: Re: Trojan Source Attacks On Tuesday 2021-11-02 00:50, Perry E. Metzger wrote: > On 11/1/21 16:51, Jan Engelhardt wrote: >>> We have identified an issue affecting all compilers and interpreters that >>> support Unicode. >>> [...] >>> The attached paper describes an attack paradigm -- which we believe to be >>> novel -- discovered by security researchers at the >>> University of Cambridge. >> Not so novel. At one time, this picture made the rounds >> (https://twitter.com/acronis/status/1019152990022787072 - the pic is likely >> older than this 2018 tweet), and anyone who knew that Unicode had zero-width >> characters already made the connection. > > If it was known to everyone, then why are so many language interpreters and > compilers impacted? [...] (Claims that people who write > compilers are fools will be cheerfully ignored.) Perhaps a case of "not my problem". The filesystem layer of many an operating system does not care about filenames. The only rules, if any, are the special meaning of the hierarchy separator (if any) and perhaps a string terminator (if any). Compilers - could be the same thing. As long as the grammar is satisfied, why should they bother what comes in. ("Write/use better editors and frontends")
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.