public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Kevin F. Quinn (Gentoo)" <kevquinn@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] enable UTF8 per default?
Date: Tue, 28 Feb 2006 20:18:50 +0100	[thread overview]
Message-ID: <20060228201850.3c22114b@c1358217.kevquinn.com> (raw)
In-Reply-To: <1141148853.4294.17.camel@onyx>

[-- Attachment #1: Type: text/plain, Size: 1476 bytes --]

On Tue, 28 Feb 2006 12:47:33 -0500
solar <solar@gentoo.org> wrote:

> I forget where I read it but I thought that unicode lead to overflows
> and was considered a general security risk. I wish I knew where I read
> that but I'm unable to find it.

Well, stuff I could find includes:

http://www.kde.org/info/security/advisory-20060119-1.txt
buggy UTF-8 decoder in KDE - this is an overflow error, which as
ciaranm says is a risk applicable to anything. It's a bug in KDE, not
in UTF-8 as such.  Perhaps this is what was at the back of your mind.


http://www.izerv.net/idwg-public/archive/0181.html
risks of using UTF-8; in particular the use of separate validators
which won't process things exactly the same way the application does.
Also homograph risks associated with allowing more than one encoding for
a character.

http://www.eeye.com/html/Research/Advisories/AD20010705.html
example of UTF-8(ish) used to fool IDSs by using alternative
non-standard encodings that IDSs aren't aware of.
This actually is another example of issues with secondary validators
described in the link above - they're not guaranteed to parse things
exactly the same way the application does.

http://www.microsoft.com/mspress/books/sampchap/5612b.asp
describes a number of risks of accepting UTF-8, including the above.


So far I haven't found anything that could be considered a general
security risk, but that doesn't prove much :)

-- 
Kevin F. Quinn

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

  parent reply	other threads:[~2006-02-28 19:16 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-02-28 10:58 [gentoo-dev] enable UTF8 per default? Patrick Lauer
2006-02-28 11:32 ` Diego 'Flameeyes' Pettenò
2006-02-28 11:47   ` Patrick Lauer
2006-02-28 12:11     ` Diego 'Flameeyes' Pettenò
2006-02-28 14:27     ` Mike Frysinger
2006-02-28 12:50 ` Lars Weiler
2006-02-28 13:50   ` Patrick Lauer
2006-02-28 14:46     ` Joseph Jezak
2006-02-28 16:24   ` Kalin KOZHUHAROV
2006-03-04 12:46     ` Alexander Simonov
2006-03-04 20:13       ` Kalin KOZHUHAROV
2006-02-28 16:51 ` Josh
2006-02-28 17:47 ` solar
2006-02-28 17:53   ` Ciaran McCreesh
2006-02-28 18:25   ` Bryan Østergaard
2006-02-28 19:18   ` Kevin F. Quinn (Gentoo) [this message]
2006-02-28 20:23     ` solar
2006-02-28 23:51 ` Bjarke Istrup Pedersen
2006-03-08  7:43 ` [gentoo-dev] " Mathieu Bonnet
2006-03-09 20:25 ` [gentoo-dev] " Kevin F. Quinn (Gentoo)
2006-03-11 20:29 ` Eldad Zack

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060228201850.3c22114b@c1358217.kevquinn.com \
    --to=kevquinn@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox