Bug 2015365 (CVE-2021-42694)

Summary: CVE-2021-42694 Developer environment: Homoglyph characters can lead to trojan source attack
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahajkova, dmalcolm, fweimer, jakub, mpolacek, ohudlick, security-response-team, sipoyare
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. Homoglyphs are different Unicode characters that, to the naked eye, look the same. An attacker could use homoglyphs to deceive a human reviewer by creating a malicious patch containing functions that look similar to standard library functions, such as print, but replace one character with a homoglyph. This function can then be defined in an upstream dependency to launch source code-related attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-15 05:57:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2002822    

Description Huzaifa S. Sidhpurwala 2021-10-19 03:15:50 UTC 
Homoglyphs are different unicode characters that to the naked eye look the same.  An attacker could use homoglyphs to deceive a human reviewer by creating a malicious patch containing functions that  look similar to standard library functions, such as print, but replace one character with a homoglyph. This function can then be defined in an upstream dependency to launch supply chain attacks.
Comment 1 Huzaifa S. Sidhpurwala 2021-10-19 03:16:59 UTC 
Note: This is a flaw with the way unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. It is not a flaw in Red Hat products.
Comment 2 Huzaifa S. Sidhpurwala 2021-10-29 06:27:46 UTC 
CVE-2021-42694 has been known for some time. Various upstream projects have been known to work on the homoglyphs issue for the last several years and are currently work under progress.

https://rust-lang.github.io/rfcs/2457-non-ascii-idents.html
https://www.unicode.org/reports/tr39/#Confusable_Detection