On Mon, Nov 01, 2021 at 12:30:38PM +0100, Giovanni Biscuolo wrote: > as probably many of you have discovered, today was announced two new > vulnerabilities that exploits the "bidirectional override" Unicode > codepoints feature, making it possible to hide malicious source code in > comments and literal strings /if/ the code review tool (e.g. editor) > does not show this. We need to check our own Git repository history for the tricky codepoints.
> Is there a way for "guix lint" to check for the listed (other?) > "dangerous" codepoints and warn code reviewers? Yeah, we could implement this. It might be expensive but one has to unpack the source code anyways. However, I think that this attack is, in general, not within the scope of Guix's security model, because: 1) Guix implicitly trusts the source code that it fetches from upstream. 2) Guix explicitly fetches the source code from upstream — Guix committers do not provide a copy of the upstream code (of unprovable provenance) as they do in other distros. If an attacker can make malicious modifications to the code distributed by an upstream project, it's not relevant to Guix if they use homoglyphs or a buffer overflow. Guix developers do not inspect upstream source code for vulnerabilities. What do others think?
