Re: Unicode considered harmful again
On 11/5/2021 10:50 AM, John Hardin wrote: And what of the BIDI sequence that actually causes the problem? 1) The authors cite, as Reference 18, a 2011 Krebs article: 'Right-to-Left Override' Aids Email Attacks https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/ That's relevant to SA/Email in a general fashion. The authors were concerned about their use within compilers (other than in text strings). They found some bad apples (unnamed) on GitHub. They also found valid use cases on GitHub as well. Go figure. All Of Unicode is not the problem. NONE of Unicode is the problem. The CVEs should've been issued against the 19 companies/organizations they talked to, not Unicode. Unless you want to "Adopt-a-Character" or something, Unicode is not going to do anything about it. - Speaking of the Unicode Consortium's "Adopt-a-Character" program, I mentioned that to my psychiatrist a while back. "It's only a hundred bucks", I told her. She probes, "If you could be a character, which would you be?" "That's easy", I said, "I'd be a F09F." "That certainly sounds very specific, Jared. Why that one?" she queried. I chuckled, "Because then I could hook up with any other character and make a great Emoji" Happy Friday, -- Jared Hall
Re: Unicode considered harmful again
On Fri, 5 Nov 2021, Benny Pedersen wrote: On 2021-11-04 09:34, Damian wrote: >> Please convert all source code to ASCII. If it fails to compile, then it may have a trojan hiding in Unicode clothing. >Instructions unclear. CVE 2021-42574 It remains unclear (to me). What source code should spamassassin-users convert? Attached source code in emails? How should they convert, is there a SpamAssassin-Plugin? Should they install compilers on their mail system? https://bugs.gentoo.org/807781 not all 3dr party have clean rules with leds to that problem == $ perl -ne 'print "$. $_" if m/[\x80-\xFF]/' /var/lib/spamassassin/3.004006/updates_spamassassin_org/50_scores.cf 526 # Validity (née ReturnPath) Certified == And what of the BIDI sequence that actually causes the problem? All Of Unicode is not the problem. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 2 days until Daylight Saving Time ends in U.S. - Fall Back Getting an extra hour of 2021 is like getting a free track on a Yoko Ono album.