2015365 – (CVE-2021-42694) CVE-2021-42694 Developer environment: Homoglyph characters can lead to trojan source attack

Bug 2015365 (CVE-2021-42694) - CVE-2021-42694 Developer environment: Homoglyph characters can lead to trojan source attack

Summary: CVE-2021-42694 Developer environment: Homoglyph characters can lead to trojan...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-42694
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2002822
TreeView+	depends on / blocked

Reported:	2021-10-19 03:15 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-11-15 05:57 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. Homoglyphs are different Unicode characters that, to the naked eye, look the same. An attacker could use homoglyphs to deceive a human reviewer by creating a malicious patch containing functions that look similar to standard library functions, such as print, but replace one character with a homoglyph. This function can then be defined in an upstream dependency to launch source code-related attacks.
Clone Of:
Environment:
Last Closed:	2021-11-15 05:57:21 UTC
Embargoed:

Attachments	(Terms of Use)

Description Huzaifa S. Sidhpurwala 2021-10-19 03:15:50 UTC

Homoglyphs are different unicode characters that to the naked eye look the same.  An attacker could use homoglyphs to deceive a human reviewer by creating a malicious patch containing functions that  look similar to standard library functions, such as print, but replace one character with a homoglyph. This function can then be defined in an upstream dependency to launch supply chain attacks.

Comment 1 Huzaifa S. Sidhpurwala 2021-10-19 03:16:59 UTC

Note: This is a flaw with the way unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. It is not a flaw in Red Hat products.

Comment 2 Huzaifa S. Sidhpurwala 2021-10-29 06:27:46 UTC

CVE-2021-42694 has been known for some time. Various upstream projects have been known to work on the homoglyphs issue for the last several years and are currently work under progress.

https://rust-lang.github.io/rfcs/2457-non-ascii-idents.html
https://www.unicode.org/reports/tr39/#Confusable_Detection

Note You need to log in before you can comment on or make changes to this bug.