Security vulnerability: Trojan Source, invisible source code vulnerabilities. (CVE-2021-42574)
This document (000020535) is provided subject to the disclaimer at the end of this document.
CVE-2021-42574 ('Trojan Source') refers to vulnerabilities that can come about through the use of bi-directional unicode text in contexts where it is not properly displayed. Various source-code viewers and editors currently do not show content which is "visually hidden by unicode". These may include editors and pagers such as vi, emacs and less as well as the web interfaces of tools that display source code.The failure to display such things as bidirectional control characters can lead to a situation in which source code when compiled or interpreted behaves in ways that someone seeing the displayed text would not expect.
This is not a compiler issue, but future compiler versions will also have options or features to display warnings in cases where such special unicode characters are used.
Even where this does not affect SUSE products directly, SUSE is currently taking action to harden the supply chain for SUSE products in order to detect any such unicode sequences in code that could have harmful effects.
Unicode supports both left-to-right and right-to-left languages, and it makes use of invisible codepoints called "bidirectional override" to aid writing left-to-right words inside a right-to-left sentence. It is common to find these inside a sentence of another language to embed a word with a different text direction. Researchers discovered that these codepoints could be misused to manipulate how source code is displayed in some editors and code review tools, fooling a reviewer into approving code that behaves in unexpected ways (potentially maliciously).
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020535
- Creation Date: 14-Jan-2022
- Modified Date:14-Jan-2022
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
- SUSE Manager Server
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com