Bug 2005819 (CVE-2021-42574)
| Summary: | CVE-2021-42574 Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, adinn, ahajkova, ahenning, ahughes, ailan, akashche, aoliva, asm, atangrin, bdettelb, bodavis, brasmith, caswilli, crarobin, danken, daoneill, dbaker, dbenoit, deparker, dhughes, dkuc, dmalcolm, dvlasenk, eduen, eglynn, emachado, ericwill, fche, fjansen, fweimer, hhorak, jakub, janstey, jary, jason, jchecahi, jeischma, jgrulich, jistone, jjoyce, jkang, jmadigan, jmaury, jmigacz, jmitchel, jnakfour, jorton, jpadman, jplesnik, jvanek, jwakely, jwboyer, jwendell, jwong, kaycoth, kdudka, keiths, kejohnso, kwall, law, lmadsen, lsharar, mbalao, mbenitez, mburns, mcermak, mclasen, mcressma, midawson, mkleinhe, mlittle, mloriedo, mmuzila, mnewsome, mpolacek, mprchlik, mrunge, msebor, mskarbek, nboldt, neugens, ngough, nickc, ohudlick, omajid, opohorel, pamccart, parichar, pleimer, pmatilai, psegedy, pskopek, pviktori, python-maint, rcernich, rich.sharples, rmonk, rstrode, sbiarozk, sbouchet, security-response-team, sgehwolf, sguelton, sguilhen, sipoyare, sthirugn, tcarlin, tschelle, tstellar, tsweeney, virt-maint, vkadlcik, vmugicag, vondruch, yjog, zdohnal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. An attacker could exploit this to deceive a human reviewer by creating a malicious patch containing well placed BiDi characters. The special handling and rendering of those characters can be then used in an attempt to hide unexpected and potentially dangerous behaviour from the reviewer.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-01 08:07:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2009282, 2009283, 2009285, 2008380, 2008381, 2008382, 2008383, 2008384, 2008385, 2008388, 2008389, 2008390, 2008391, 2008392, 2008393, 2009163, 2009164, 2009165, 2009166, 2009167, 2009168, 2009169, 2009170, 2009171, 2009172, 2009173, 2009174, 2009175, 2009176, 2009177, 2009178, 2009179, 2009180, 2009181, 2009182, 2009183, 2009184, 2009185, 2009186, 2009187, 2009188, 2009190, 2009195, 2009247, 2009248, 2009249, 2009250, 2009251, 2009252, 2009259, 2009260, 2009261, 2009262, 2009263, 2009272, 2009273, 2009274, 2009275, 2009276, 2009277, 2009284, 2009286, 2009287, 2011665, 2016236, 2016237, 2016238, 2016239, 2016240, 2016241, 2016242, 2016243, 2016244, 2016245, 2017359, 2017360, 2017361, 2017362, 2017363, 2017364, 2017365, 2017366, 2017367, 2017368, 2017779, 2017780, 2017781, 2017782, 2017783, 2017816, 2017817, 2017818, 2017819, 2017820, 2018682, 2018683, 2018684, 2018685, 2018686, 2018687, 2018848, 2018849, 2018850, 2018860, 2019361, 2023658, 2023676 | ||
| Bug Blocks: | 2002822 | ||
|
Description
Huzaifa S. Sidhpurwala
2021-09-20 09:19:11 UTC
Created annobin tracking bugs for this issue: Affects: fedora-all [bug 2018850] Created binutils tracking bugs for this issue: Affects: fedora-all [bug 2018848] Created gcc tracking bugs for this issue: Affects: fedora-all [bug 2018849] This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2021:4037 https://access.redhat.com/errata/RHSA-2021:4037 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2021:4038 https://access.redhat.com/errata/RHSA-2021:4038 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Via RHSA-2021:4036 https://access.redhat.com/errata/RHSA-2021:4036 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4039 https://access.redhat.com/errata/RHSA-2021:4039 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2021:4035 https://access.redhat.com/errata/RHSA-2021:4035 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Via RHSA-2021:4034 https://access.redhat.com/errata/RHSA-2021:4034 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-42574 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:4033 https://access.redhat.com/errata/RHSA-2021:4033 I've posted a script "utf8-dump.py" to upstream GCC: https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583024.html to make it easier to grok encoding issues in source files, and, in particular, the difference between visual and logical order in bidirectional files. I've committed this patch to upstream GCC (for GCC 12): https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583020.html https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=bd5e882cf6e0def3dd1bc106075d59a303fe0d1e which improves the UX for diagnostics involving Unicode encoding issues (but this patch does *not* itself directly detect them). Unfortunately it's nontrivial to backport to earlier GCC releases. Upstream GCC bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103026 ("Implement warning for Unicode bidi override characters [CVE-2021-42574]") https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103027 ("Implement warning for homoglyphs in identifiers [CVE-2021-42694]") This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4588 https://access.redhat.com/errata/RHSA-2021:4588 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4585 https://access.redhat.com/errata/RHSA-2021:4585 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4589 https://access.redhat.com/errata/RHSA-2021:4589 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:4599 https://access.redhat.com/errata/RHSA-2021:4599 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4586 https://access.redhat.com/errata/RHSA-2021:4586 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:4600 https://access.redhat.com/errata/RHSA-2021:4600 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4594 https://access.redhat.com/errata/RHSA-2021:4594 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4593 https://access.redhat.com/errata/RHSA-2021:4593 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4592 https://access.redhat.com/errata/RHSA-2021:4592 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:4601 https://access.redhat.com/errata/RHSA-2021:4601 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4591 https://access.redhat.com/errata/RHSA-2021:4591 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4587 https://access.redhat.com/errata/RHSA-2021:4587 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4595 https://access.redhat.com/errata/RHSA-2021:4595 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:4602 https://access.redhat.com/errata/RHSA-2021:4602 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4598 https://access.redhat.com/errata/RHSA-2021:4598 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4596 https://access.redhat.com/errata/RHSA-2021:4596 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4590 https://access.redhat.com/errata/RHSA-2021:4590 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4649 https://access.redhat.com/errata/RHSA-2021:4649 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4669 https://access.redhat.com/errata/RHSA-2021:4669 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:4694 https://access.redhat.com/errata/RHSA-2021:4694 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4723 https://access.redhat.com/errata/RHSA-2021:4723 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4724 https://access.redhat.com/errata/RHSA-2021:4724 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4729 https://access.redhat.com/errata/RHSA-2021:4729 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4730 https://access.redhat.com/errata/RHSA-2021:4730 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4743 https://access.redhat.com/errata/RHSA-2021:4743 |