From: "Kevin F. Quinn (Gentoo)" <kevquinn@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] enable UTF8 per default?
Date: Tue, 28 Feb 2006 20:18:50 +0100 [thread overview]
Message-ID: <20060228201850.3c22114b@c1358217.kevquinn.com> (raw)
In-Reply-To: <1141148853.4294.17.camel@onyx>
[-- Attachment #1: Type: text/plain, Size: 1476 bytes --]
On Tue, 28 Feb 2006 12:47:33 -0500
solar <solar@gentoo.org> wrote:
> I forget where I read it but I thought that unicode lead to overflows
> and was considered a general security risk. I wish I knew where I read
> that but I'm unable to find it.
Well, stuff I could find includes:
http://www.kde.org/info/security/advisory-20060119-1.txt
buggy UTF-8 decoder in KDE - this is an overflow error, which as
ciaranm says is a risk applicable to anything. It's a bug in KDE, not
in UTF-8 as such. Perhaps this is what was at the back of your mind.
http://www.izerv.net/idwg-public/archive/0181.html
risks of using UTF-8; in particular the use of separate validators
which won't process things exactly the same way the application does.
Also homograph risks associated with allowing more than one encoding for
a character.
http://www.eeye.com/html/Research/Advisories/AD20010705.html
example of UTF-8(ish) used to fool IDSs by using alternative
non-standard encodings that IDSs aren't aware of.
This actually is another example of issues with secondary validators
described in the link above - they're not guaranteed to parse things
exactly the same way the application does.
http://www.microsoft.com/mspress/books/sampchap/5612b.asp
describes a number of risks of accepting UTF-8, including the above.
So far I haven't found anything that could be considered a general
security risk, but that doesn't prove much :)
--
Kevin F. Quinn
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 191 bytes --]
next prev parent reply other threads:[~2006-02-28 19:16 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-28 10:58 [gentoo-dev] enable UTF8 per default? Patrick Lauer
2006-02-28 11:32 ` Diego 'Flameeyes' Pettenò
2006-02-28 11:47 ` Patrick Lauer
2006-02-28 12:11 ` Diego 'Flameeyes' Pettenò
2006-02-28 14:27 ` Mike Frysinger
2006-02-28 12:50 ` Lars Weiler
2006-02-28 13:50 ` Patrick Lauer
2006-02-28 14:46 ` Joseph Jezak
2006-02-28 16:24 ` Kalin KOZHUHAROV
2006-03-04 12:46 ` Alexander Simonov
2006-03-04 20:13 ` Kalin KOZHUHAROV
2006-02-28 16:51 ` Josh
2006-02-28 17:47 ` solar
2006-02-28 17:53 ` Ciaran McCreesh
2006-02-28 18:25 ` Bryan Østergaard
2006-02-28 19:18 ` Kevin F. Quinn (Gentoo) [this message]
2006-02-28 20:23 ` solar
2006-02-28 23:51 ` Bjarke Istrup Pedersen
2006-03-08 7:43 ` [gentoo-dev] " Mathieu Bonnet
2006-03-09 20:25 ` [gentoo-dev] " Kevin F. Quinn (Gentoo)
2006-03-11 20:29 ` Eldad Zack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060228201850.3c22114b@c1358217.kevquinn.com \
--to=kevquinn@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox