1 |
On Tue, 2006-02-28 at 20:18 +0100, Kevin F. Quinn (Gentoo) wrote: |
2 |
> On Tue, 28 Feb 2006 12:47:33 -0500 |
3 |
> solar <solar@g.o> wrote: |
4 |
> |
5 |
> > I forget where I read it but I thought that unicode lead to overflows |
6 |
> > and was considered a general security risk. I wish I knew where I read |
7 |
> > that but I'm unable to find it. |
8 |
> |
9 |
> Well, stuff I could find includes: |
10 |
> |
11 |
> http://www.kde.org/info/security/advisory-20060119-1.txt |
12 |
> buggy UTF-8 decoder in KDE - this is an overflow error, which as |
13 |
> ciaranm says is a risk applicable to anything. It's a bug in KDE, not |
14 |
> in UTF-8 as such. Perhaps this is what was at the back of your mind. |
15 |
> |
16 |
> |
17 |
> http://www.izerv.net/idwg-public/archive/0181.html |
18 |
> risks of using UTF-8; in particular the use of separate validators |
19 |
> which won't process things exactly the same way the application does. |
20 |
> Also homograph risks associated with allowing more than one encoding for |
21 |
> a character. |
22 |
> |
23 |
> http://www.eeye.com/html/Research/Advisories/AD20010705.html |
24 |
> example of UTF-8(ish) used to fool IDSs by using alternative |
25 |
> non-standard encodings that IDSs aren't aware of. |
26 |
> This actually is another example of issues with secondary validators |
27 |
> described in the link above - they're not guaranteed to parse things |
28 |
> exactly the same way the application does. |
29 |
> |
30 |
> http://www.microsoft.com/mspress/books/sampchap/5612b.asp |
31 |
> describes a number of risks of accepting UTF-8, including the above. |
32 |
> |
33 |
> |
34 |
> So far I haven't found anything that could be considered a general |
35 |
> security risk, but that doesn't prove much :) |
36 |
|
37 |
Thanks Kevin. I think whatever I was thinking of had todo with widechar |
38 |
support. Maybe on phrack, vuln-dev, DD I forget. |
39 |
|
40 |
But the second link was a pretty good read and perhaps can give us some |
41 |
sort of reasonable checks that we can use before we opt to allow the use |
42 |
flag to be enabled in our hardened profiles. |
43 |
|
44 |
Think we can automate any checks using the UTF-8-test.txt ? |
45 |
|
46 |
-- |
47 |
solar <solar@g.o> |
48 |
Gentoo Linux |
49 |
|
50 |
-- |
51 |
gentoo-dev@g.o mailing list |