From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FEBTR-0001Z3-RD for garchives@archives.gentoo.org; Tue, 28 Feb 2006 20:29:34 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k1SKQhZt011213; Tue, 28 Feb 2006 20:26:43 GMT Received: from mail01.emarketsouth.com (mail01.emarketsouth.com [208.247.233.6]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k1SKMm0v019472 for <gentoo-dev@lists.gentoo.org>; Tue, 28 Feb 2006 20:22:49 GMT Received: (qmail 5578 invoked by uid 399); 28 Feb 2006 20:24:55 -0000 Received: from unknown (HELO onyx) (64.192.54.4) by mail01.emarketsouth.com with SMTP; 28 Feb 2006 20:24:55 -0000 Subject: Re: [gentoo-dev] enable UTF8 per default? From: solar <solar@gentoo.org> To: gentoo-dev@lists.gentoo.org In-Reply-To: <20060228201850.3c22114b@c1358217.kevquinn.com> References: <1141124283.7962.74.camel@localhost> <1141148853.4294.17.camel@onyx> <20060228201850.3c22114b@c1358217.kevquinn.com> Content-Type: text/plain Organization: Gentoo Linux Date: Tue, 28 Feb 2006 15:23:32 -0500 Message-Id: <1141158212.23549.41.camel@onyx> Precedence: bulk List-Post: <mailto:gentoo-dev@lists.gentoo.org> List-Help: <mailto:gentoo-dev+help@gentoo.org> List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@gentoo.org> List-Subscribe: <mailto:gentoo-dev+subscribe@gentoo.org> List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org> X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 Content-Transfer-Encoding: 7bit X-Archives-Salt: 07758bde-7801-4e95-87ba-9761e8fb7ac9 X-Archives-Hash: c981cf5f6742e463112d82972cad4774 On Tue, 2006-02-28 at 20:18 +0100, Kevin F. Quinn (Gentoo) wrote: > On Tue, 28 Feb 2006 12:47:33 -0500 > solar <solar@gentoo.org> wrote: > > > I forget where I read it but I thought that unicode lead to overflows > > and was considered a general security risk. I wish I knew where I read > > that but I'm unable to find it. > > Well, stuff I could find includes: > > http://www.kde.org/info/security/advisory-20060119-1.txt > buggy UTF-8 decoder in KDE - this is an overflow error, which as > ciaranm says is a risk applicable to anything. It's a bug in KDE, not > in UTF-8 as such. Perhaps this is what was at the back of your mind. > > > http://www.izerv.net/idwg-public/archive/0181.html > risks of using UTF-8; in particular the use of separate validators > which won't process things exactly the same way the application does. > Also homograph risks associated with allowing more than one encoding for > a character. > > http://www.eeye.com/html/Research/Advisories/AD20010705.html > example of UTF-8(ish) used to fool IDSs by using alternative > non-standard encodings that IDSs aren't aware of. > This actually is another example of issues with secondary validators > described in the link above - they're not guaranteed to parse things > exactly the same way the application does. > > http://www.microsoft.com/mspress/books/sampchap/5612b.asp > describes a number of risks of accepting UTF-8, including the above. > > > So far I haven't found anything that could be considered a general > security risk, but that doesn't prove much :) Thanks Kevin. I think whatever I was thinking of had todo with widechar support. Maybe on phrack, vuln-dev, DD I forget. But the second link was a pretty good read and perhaps can give us some sort of reasonable checks that we can use before we opt to allow the use flag to be enabled in our hardened profiles. Think we can automate any checks using the UTF-8-test.txt ? -- solar <solar@gentoo.org> Gentoo Linux -- gentoo-dev@gentoo.org mailing list