On 11/4/2021 3:37 AM, Rupert Gallagher wrote:
>
> -------- Original Message --------
> On Nov 4, 2021, 07:45, Damian < spamassassin@arcsin.de> wrote:
>
> >> Please convert all source code to ASCII. If it fails to compile,
> then it may have a trojan hiding in Unicode clothing.
>
> >Instructions unclear.
>
> CVE 2021-42574
Love it!!!
Yes, and it's companion: CVE-2021-42694
Here are the key takeaways:
1) Some people write things from right to left. Beware the evil BIDI.
2) Beware of using somebody else's source code :)
3) Homoglyphs/Punycode, like Doppelgängers, DO exist! (sorry about the
Unicode: ????? ?? ????????)
4) Code containing BIDIs and Homoglyphs can be found on GitHub. Oh, my!
Hard to believe that Cambridge even accepted their paper:
https://trojansource.codes/trojan-source.pdf From their paper: "We present proofs of concept for C, C++, C#,
JavaScript, Java, Rust, Go, and Python".
That's where they went wrong. Most PERLers here would be 4xPHDs by
Cambridge's standards.
Oops, I used their reference so I must acknowledge those rocket
scientists as per their instruction:
/@article{boucher_trojansource_2021,/
/ title = {Trojan {Source}: {Invisible} {Vulnerabilities}},/
/ url = {
https://trojansource.codes/trojan-source.pdf},/ / journal = {Preprint.},/
/ author = {Nicholas Boucher and Ross Anderson},/
/ year = {2021}/
/}/
On a funny side note, the most popular question at every Unicode
conference is: "Why are all the character descriptions written in ASCII?"
I say that if we all just wrote in Ordinals, the world would be a
happier place!
-- Jared Hall