On Tue, 2006-02-28 at 20:18 +0100, Kevin F. Quinn (Gentoo) wrote: > On Tue, 28 Feb 2006 12:47:33 -0500 > solar <[EMAIL PROTECTED]> wrote: > > > I forget where I read it but I thought that unicode lead to overflows > > and was considered a general security risk. I wish I knew where I read > > that but I'm unable to find it. > > Well, stuff I could find includes: > > http://www.kde.org/info/security/advisory-20060119-1.txt > buggy UTF-8 decoder in KDE - this is an overflow error, which as > ciaranm says is a risk applicable to anything. It's a bug in KDE, not > in UTF-8 as such. Perhaps this is what was at the back of your mind. > > > http://www.izerv.net/idwg-public/archive/0181.html > risks of using UTF-8; in particular the use of separate validators > which won't process things exactly the same way the application does. > Also homograph risks associated with allowing more than one encoding for > a character. > > http://www.eeye.com/html/Research/Advisories/AD20010705.html > example of UTF-8(ish) used to fool IDSs by using alternative > non-standard encodings that IDSs aren't aware of. > This actually is another example of issues with secondary validators > described in the link above - they're not guaranteed to parse things > exactly the same way the application does. > > http://www.microsoft.com/mspress/books/sampchap/5612b.asp > describes a number of risks of accepting UTF-8, including the above. > > > So far I haven't found anything that could be considered a general > security risk, but that doesn't prove much :)
Thanks Kevin. I think whatever I was thinking of had todo with widechar support. Maybe on phrack, vuln-dev, DD I forget. But the second link was a pretty good read and perhaps can give us some sort of reasonable checks that we can use before we opt to allow the use flag to be enabled in our hardened profiles. Think we can automate any checks using the UTF-8-test.txt ? -- solar <[EMAIL PROTECTED]> Gentoo Linux -- [email protected] mailing list
