Re: "Trojan Source" and Fedora

Mon, 01 Nov 2021 08:36:18 -0700 

On Mon, Nov 01, 2021 at 11:17:52AM -0400, Matthew Miller wrote:

The latest dramatically-named fancy-website infosec thing is called "Trojan
Source". See https://www.trojansource.codes/ if you want to marvel at the
presentation, complete with ominous hacker hex codes and rolling fog over
dark water.

It's not really a vulnerability in the traditional sense, but the idea that
unicode bidirectional characters can be used to hide code in patches. That
code is invisible to humans when viewed with most software that is just
trying to do its job in formatting unicode correctly, but the code can be
formatted in a way that makes various compilers and interpreters actually do
something meaningful with it.

Many tools and compilers are getting updates to check for this. See for
example this for the Rust compiler: 
https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

For Fedora:

Pierre-Yves Chibon has scanned dist-git and we've not found any such
suspicious characters in patches or spec files, so we're confident that this
hasn't been used to attack Fedora Linux packages to date. For the future,
there's a new mitigation in pagure which will be deployed soon:
https://pagure.io/pagure/c/8bacd4da4fa6de578b818aa7a4b36bbeaaa243d7?branch=master

This will give a warning if a PR contains bidirectional characters. (These
characters _can_ be used for their intended purpose, after all, so we're not
just blocking them.)

Plus, David Cantrell has rpminspect checks and Nick Clifton is expanding
annobin to check ELF objects.


Code will be merged today for rpminspect and I am going to make new
releases of rpminspect and associated data packages.  rpminspect will
gain a new 'unicode' inspection that will check text files in SRPMs as
well as the %prep'ed source tree(s) used to build to binary RPMs.


And Huzaifa Sidhpurwala helped immensely in coordinating our response.

Thanks everyone for doing this, keeping Fedora safe and trustworthy!


Thanks,

--
David Cantrell <dcantr...@redhat.com>
Red Hat, Inc. | Boston, MA | EST5EDT
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to