Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Trojan Source Attacks

Related Vulnerabilities: CVE-2021-42574  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Trojan Source Attacks

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Stuart D Gathman &lt;stuart () gathman org&gt;

Date: Tue, 2 Nov 2021 16:52:33 -0400 (EDT)

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Mon, 1 Nov 2021, Nicholas Boucher wrote:

The first and primary technique, which we dub the Trojan Source attack, uses
Unicode Bidirectional (Bidi) control characters embedded in comments and
string literals to produce visually deceptive source code files. This
technique enables an adversary to encode constructs that visually appear to
be comments or string literals but execute as code, or vice versa. Complete
details, as well as recommended mitigations, can be found in the attachment
001 Trojan Source.pdf. This vulnerability is tracked under CVE-2021-42574.

Syntax coloring thus becomes a critical security tool.  And bugs in
syntax coloring for an editor/viewer should be consider security flaws
and reported on oss-security.

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Re: Trojan Source Attacks, (continued)

Re: Trojan Source Attacks Perry E. Metzger (Nov 01)

Re: Trojan Source Attacks Jan Engelhardt (Nov 01)

Re: Trojan Source Attacks Siddhesh Poyarekar (Nov 01)
Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
Re: Trojan Source Attacks Seth Arnold (Nov 02)

Re: Trojan Source Attacks Santiago Torres (Nov 01)

Re: Trojan Source Attacks David A. Wheeler (Nov 02)

Re: Trojan Source Attacks Josh Bressers (Nov 02)

Re: Trojan Source Attacks David A. Wheeler (Nov 02)
Re: Trojan Source Attacks Michael Orlitzky (Nov 02)

Re: Trojan Source Attacks Stuart D Gathman (Nov 02)

Re: Trojan Source Attacks Georgi Guninski (Nov 04)

Re: Trojan Source Attacks Leonid Isaev (ifax) (Nov 04)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started