rpmlint
rpmlint copied to clipboard
rpm-software-management
Add support to detect CVE-2021-42574?
It would be interesting if we could add support to detect Unicode attacks within source code automatically, or at least to bring attention to the packager so she's aware there might be an issue and double check.
Interesting idea. Are you willing to implement that?
Note one will be able to use -Wbidi-chars GCC option (starting with GCC 12.1.0).
Give me advice on how to do it and I may be able to implement it.
Regarding compilers. what you comment is specific for GCC, but I'm not sure we can modify all possible compilers (too much work, I guess) :/
Give me advice on how to do it and I may be able to implement it.
Sure, you'll need to add a new check derived from AbstractFilesCheck in rpmlint/checks and register the check in configdefaults.toml file.
I would take inspiration from the script provided here: https://access.redhat.com/security/vulnerabilities/RHSB-2021-007#diagnostic-tools
One tricky part would be how to filter files that should be checked? Do you want to do it based on MIME type or extension?
I'm also curious about the speed of the check, we'll see.
Regarding compilers. what you comment is specific for GCC, but I'm not sure we can modify all possible compilers (too much work, I guess) :/
Sure, the characters can be also in different programming languages.
I'm not sure how much time do I have to do this... maybe during the hackweek? Anyway, I forked and created a BidirectionalUnicodeCheck class.
Is there any other check I can use for inspiration? Also, what's the best place to add a testcase and how to do it?
You likely want to read lines like here: https://github.com/rpm-software-management/rpmlint/blob/fc5303f303ba26ec2af956f0c17bd8a00e44686e/rpmlint/checks/LogrotateCheck.py#L43-L45
and check for the special unicode sequences.
Testes can be put under test folder, please take a look there.