From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FEAKf-0005WW-S2 for garchives@archives.gentoo.org; Tue, 28 Feb 2006 19:16:26 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k1SJE49h006500; Tue, 28 Feb 2006 19:14:04 GMT Received: from mail-relay-3.tiscali.it (mail-relay-3.tiscali.it [213.205.33.43]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id k1SJAC2Y005117 for ; Tue, 28 Feb 2006 19:10:12 GMT Received: from c1358217.kevquinn.com (84.222.87.21) by mail-relay-3.tiscali.it (7.2.069.1) id 438439FE00C475CE for gentoo-dev@lists.gentoo.org; Tue, 28 Feb 2006 20:10:58 +0100 Date: Tue, 28 Feb 2006 20:18:50 +0100 From: "Kevin F. Quinn (Gentoo)" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] enable UTF8 per default? Message-ID: <20060228201850.3c22114b@c1358217.kevquinn.com> In-Reply-To: <1141148853.4294.17.camel@onyx> References: <1141124283.7962.74.camel@localhost> <1141148853.4294.17.camel@onyx> X-Mailer: Sylpheed-Claws 2.0.0 (GTK+ 2.8.11; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_xo5CCnE3AY2DktOsrP_MEII; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Archives-Salt: 80e18583-b6df-4f9e-a294-936fdd8814d0 X-Archives-Hash: 5acf9a4fc45afe7a2540c6dc4d7036a2 --Sig_xo5CCnE3AY2DktOsrP_MEII Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 28 Feb 2006 12:47:33 -0500 solar wrote: > I forget where I read it but I thought that unicode lead to overflows > and was considered a general security risk. I wish I knew where I read > that but I'm unable to find it. Well, stuff I could find includes: http://www.kde.org/info/security/advisory-20060119-1.txt buggy UTF-8 decoder in KDE - this is an overflow error, which as ciaranm says is a risk applicable to anything. It's a bug in KDE, not in UTF-8 as such. Perhaps this is what was at the back of your mind. http://www.izerv.net/idwg-public/archive/0181.html risks of using UTF-8; in particular the use of separate validators which won't process things exactly the same way the application does. Also homograph risks associated with allowing more than one encoding for a character. http://www.eeye.com/html/Research/Advisories/AD20010705.html example of UTF-8(ish) used to fool IDSs by using alternative non-standard encodings that IDSs aren't aware of. This actually is another example of issues with secondary validators described in the link above - they're not guaranteed to parse things exactly the same way the application does. http://www.microsoft.com/mspress/books/sampchap/5612b.asp describes a number of risks of accepting UTF-8, including the above. So far I haven't found anything that could be considered a general security risk, but that doesn't prove much :) --=20 Kevin F. Quinn --Sig_xo5CCnE3AY2DktOsrP_MEII Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEBKId9G2S8dekcG0RAiRIAKDRxVckBv3ZbQT4TPNSPIP3rbKrQQCgz5LI sWu2/VeSV4JXYEu6wjTo4do= =s6Xs -----END PGP SIGNATURE----- --Sig_xo5CCnE3AY2DktOsrP_MEII-- -- gentoo-dev@gentoo.org mailing list