Gentoo Archives: gentoo-dev

From: solar <solar@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] enable UTF8 per default?
Date: Tue, 28 Feb 2006 20:29:34
Message-Id: 1141158212.23549.41.camel@onyx
In Reply to: Re: [gentoo-dev] enable UTF8 per default? by "Kevin F. Quinn (Gentoo)"
1 On Tue, 2006-02-28 at 20:18 +0100, Kevin F. Quinn (Gentoo) wrote:
2 > On Tue, 28 Feb 2006 12:47:33 -0500
3 > solar <solar@g.o> wrote:
4 >
5 > > I forget where I read it but I thought that unicode lead to overflows
6 > > and was considered a general security risk. I wish I knew where I read
7 > > that but I'm unable to find it.
8 >
9 > Well, stuff I could find includes:
10 >
11 > http://www.kde.org/info/security/advisory-20060119-1.txt
12 > buggy UTF-8 decoder in KDE - this is an overflow error, which as
13 > ciaranm says is a risk applicable to anything. It's a bug in KDE, not
14 > in UTF-8 as such. Perhaps this is what was at the back of your mind.
15 >
16 >
17 > http://www.izerv.net/idwg-public/archive/0181.html
18 > risks of using UTF-8; in particular the use of separate validators
19 > which won't process things exactly the same way the application does.
20 > Also homograph risks associated with allowing more than one encoding for
21 > a character.
22 >
23 > http://www.eeye.com/html/Research/Advisories/AD20010705.html
24 > example of UTF-8(ish) used to fool IDSs by using alternative
25 > non-standard encodings that IDSs aren't aware of.
26 > This actually is another example of issues with secondary validators
27 > described in the link above - they're not guaranteed to parse things
28 > exactly the same way the application does.
29 >
30 > http://www.microsoft.com/mspress/books/sampchap/5612b.asp
31 > describes a number of risks of accepting UTF-8, including the above.
32 >
33 >
34 > So far I haven't found anything that could be considered a general
35 > security risk, but that doesn't prove much :)
36
37 Thanks Kevin. I think whatever I was thinking of had todo with widechar
38 support. Maybe on phrack, vuln-dev, DD I forget.
39
40 But the second link was a pretty good read and perhaps can give us some
41 sort of reasonable checks that we can use before we opt to allow the use
42 flag to be enabled in our hardened profiles.
43
44 Think we can automate any checks using the UTF-8-test.txt ?
45
46 --
47 solar <solar@g.o>
48 Gentoo Linux
49
50 --
51 gentoo-dev@g.o mailing list