A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. An attacker could exploit this to deceive a human reviewer by creating a malicious patch containing well-placed BiDi characters. The special handling and rendering of those characters can be then used in an attempt to hide unexpected and potentially dangerous behavior from the reviewer. Unicode’s Directional Formatting Characters (‘BiDi’) are invisible characters that switch the display ordering of one or more characters. BiDi overrides cause characters to display in a different order from that in which they are written.
Created annobin tracking bugs for this issue: Affects: fedora-all [bug 2018850] Created binutils tracking bugs for this issue: Affects: fedora-all [bug 2018848] Created gcc tracking bugs for this issue: Affects: fedora-all [bug 2018849]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2021:4037 https://access.redhat.com/errata/RHSA-2021:4037
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2021:4038 https://access.redhat.com/errata/RHSA-2021:4038
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Via RHSA-2021:4036 https://access.redhat.com/errata/RHSA-2021:4036
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4039 https://access.redhat.com/errata/RHSA-2021:4039
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2021:4035 https://access.redhat.com/errata/RHSA-2021:4035
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Via RHSA-2021:4034 https://access.redhat.com/errata/RHSA-2021:4034
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-42574
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:4033 https://access.redhat.com/errata/RHSA-2021:4033
I've posted a script "utf8-dump.py" to upstream GCC: https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583024.html to make it easier to grok encoding issues in source files, and, in particular, the difference between visual and logical order in bidirectional files. I've committed this patch to upstream GCC (for GCC 12): https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583020.html https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=bd5e882cf6e0def3dd1bc106075d59a303fe0d1e which improves the UX for diagnostics involving Unicode encoding issues (but this patch does *not* itself directly detect them). Unfortunately it's nontrivial to backport to earlier GCC releases.
Upstream GCC bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103026 ("Implement warning for Unicode bidi override characters [CVE-2021-42574]") https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103027 ("Implement warning for homoglyphs in identifiers [CVE-2021-42694]")
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4588 https://access.redhat.com/errata/RHSA-2021:4588
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4585 https://access.redhat.com/errata/RHSA-2021:4585
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4589 https://access.redhat.com/errata/RHSA-2021:4589
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:4599 https://access.redhat.com/errata/RHSA-2021:4599
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4586 https://access.redhat.com/errata/RHSA-2021:4586
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:4600 https://access.redhat.com/errata/RHSA-2021:4600
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4594 https://access.redhat.com/errata/RHSA-2021:4594
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4593 https://access.redhat.com/errata/RHSA-2021:4593
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4592 https://access.redhat.com/errata/RHSA-2021:4592
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:4601 https://access.redhat.com/errata/RHSA-2021:4601
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4591 https://access.redhat.com/errata/RHSA-2021:4591
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4587 https://access.redhat.com/errata/RHSA-2021:4587
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4595 https://access.redhat.com/errata/RHSA-2021:4595
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:4602 https://access.redhat.com/errata/RHSA-2021:4602
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4598 https://access.redhat.com/errata/RHSA-2021:4598
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4596 https://access.redhat.com/errata/RHSA-2021:4596
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4590 https://access.redhat.com/errata/RHSA-2021:4590
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4649 https://access.redhat.com/errata/RHSA-2021:4649
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4669 https://access.redhat.com/errata/RHSA-2021:4669
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:4694 https://access.redhat.com/errata/RHSA-2021:4694
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4723 https://access.redhat.com/errata/RHSA-2021:4723
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4724 https://access.redhat.com/errata/RHSA-2021:4724
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4729 https://access.redhat.com/errata/RHSA-2021:4729
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:4730 https://access.redhat.com/errata/RHSA-2021:4730
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4743 https://access.redhat.com/errata/RHSA-2021:4743