public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: solar <solar@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] enable UTF8 per default?
Date: Tue, 28 Feb 2006 15:23:32 -0500	[thread overview]
Message-ID: <1141158212.23549.41.camel@onyx> (raw)
In-Reply-To: <20060228201850.3c22114b@c1358217.kevquinn.com>

On Tue, 2006-02-28 at 20:18 +0100, Kevin F. Quinn (Gentoo) wrote:
> On Tue, 28 Feb 2006 12:47:33 -0500
> solar <solar@gentoo.org> wrote:
> 
> > I forget where I read it but I thought that unicode lead to overflows
> > and was considered a general security risk. I wish I knew where I read
> > that but I'm unable to find it.
> 
> Well, stuff I could find includes:
> 
> http://www.kde.org/info/security/advisory-20060119-1.txt
> buggy UTF-8 decoder in KDE - this is an overflow error, which as
> ciaranm says is a risk applicable to anything. It's a bug in KDE, not
> in UTF-8 as such.  Perhaps this is what was at the back of your mind.
> 
> 
> http://www.izerv.net/idwg-public/archive/0181.html
> risks of using UTF-8; in particular the use of separate validators
> which won't process things exactly the same way the application does.
> Also homograph risks associated with allowing more than one encoding for
> a character.
> 
> http://www.eeye.com/html/Research/Advisories/AD20010705.html
> example of UTF-8(ish) used to fool IDSs by using alternative
> non-standard encodings that IDSs aren't aware of.
> This actually is another example of issues with secondary validators
> described in the link above - they're not guaranteed to parse things
> exactly the same way the application does.
> 
> http://www.microsoft.com/mspress/books/sampchap/5612b.asp
> describes a number of risks of accepting UTF-8, including the above.
> 
> 
> So far I haven't found anything that could be considered a general
> security risk, but that doesn't prove much :)

Thanks Kevin. I think whatever I was thinking of had todo with widechar
support. Maybe on phrack, vuln-dev, DD I forget.

But the second link was a pretty good read and perhaps can give us some
sort of reasonable checks that we can use before we opt to allow the use
flag to be enabled in our hardened profiles.

Think we can automate any checks using the UTF-8-test.txt ?

-- 
solar <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list



  reply	other threads:[~2006-02-28 20:29 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-02-28 10:58 [gentoo-dev] enable UTF8 per default? Patrick Lauer
2006-02-28 11:32 ` Diego 'Flameeyes' Pettenò
2006-02-28 11:47   ` Patrick Lauer
2006-02-28 12:11     ` Diego 'Flameeyes' Pettenò
2006-02-28 14:27     ` Mike Frysinger
2006-02-28 12:50 ` Lars Weiler
2006-02-28 13:50   ` Patrick Lauer
2006-02-28 14:46     ` Joseph Jezak
2006-02-28 16:24   ` Kalin KOZHUHAROV
2006-03-04 12:46     ` Alexander Simonov
2006-03-04 20:13       ` Kalin KOZHUHAROV
2006-02-28 16:51 ` Josh
2006-02-28 17:47 ` solar
2006-02-28 17:53   ` Ciaran McCreesh
2006-02-28 18:25   ` Bryan Østergaard
2006-02-28 19:18   ` Kevin F. Quinn (Gentoo)
2006-02-28 20:23     ` solar [this message]
2006-02-28 23:51 ` Bjarke Istrup Pedersen
2006-03-08  7:43 ` [gentoo-dev] " Mathieu Bonnet
2006-03-09 20:25 ` [gentoo-dev] " Kevin F. Quinn (Gentoo)
2006-03-11 20:29 ` Eldad Zack

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1141158212.23549.41.camel@onyx \
    --to=solar@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox