Bug 2015365 (CVE-2021-42694)
Summary: | CVE-2021-42694 environment: Homoglyph characters can lead to trojan source attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ahajkova, dmalcolm, fweimer, jakub, mpolacek, ohudlick, security-response-team, sipoyare |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. Homoglyphs are different Unicode characters that, to the naked eye, look the same. An attacker could use homoglyphs to deceive a human reviewer by creating a malicious patch containing functions that look similar to standard library functions, such as print, but replace one character with a homoglyph. This function can then be defined in an upstream dependency to launch source code-related attacks.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-15 05:57:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2002822 |
Description
Huzaifa S. Sidhpurwala
2021-10-19 03:15:50 UTC
Note: This is a flaw with the way unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. It is not a flaw in Red Hat products. CVE-2021-42694 has been known for some time. Various upstream projects have been known to work on the homoglyphs issue for the last several years and are currently work under progress. https://rust-lang.github.io/rfcs/2457-non-ascii-idents.html https://www.unicode.org/reports/tr39/#Confusable_Detection |