Lintian tag: unicode-trojan

Type: pedantic

Description (from lintian-explain-tags)

The named text file contains a Unicode codepoint that has been identified
as a potential security risk.

There are two distinct attack vectors. One is homoglyphs in which text
looks confusingly similar to what a reader might expects, but is actually
different. The second is birectional attacks, in which the rendered text
hides potentially malicious characters.

Here are the relevant codepoints:

- ARABIC LETTER MARK (U+061C)
- LEFT-TO-RIGHT MARK (U+200E)
- RIGHT-TO-LEFT MARK (U+200F)
- LEFT-TO-RIGHT EMBEDDING (U+202A)
- RIGHT-TO-LEFT EMBEDDING (U+202B)
- POP DIRECTIONAL FORMATTING (U+202C)
- LEFT-TO-RIGHT OVERRIDE (U+202D)
- RIGHT-TO-LEFT OVERRIDE (U+202E)
- LEFT-TO-RIGHT ISOLATE (U+2066)
- RIGHT-TO-LEFT ISOLATE (U+2067)
- FIRST STRONG ISOLATE (U+2068)
- POP DIRECTIONAL ISOLATE (U+2069)

You can also run a similar check in your shell with that command:

grep -r $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069]'

The registered vulnerabilities are CVE-2021-42694 ("Homoglyph") and
CVE-2021-42574 ("Bidirectional Attack").

Please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-42694,
https://nvd.nist.gov/vuln/detail/CVE-2021-42574,
https://www.trojansource.codes,
https://www.trojansource.codes/trojan-source.pdf,
https://en.wikipedia.org/wiki/Bidirectional_text,
https://www.ida.org/research-and-publications/publications/all/i/in/initial-analysis-of-underhanded-source-code,
and
https://www.ida.org/-/media/feature/publications/i/in/initial-analysis-of-underhanded-source-code/d-13166.ashx
for details.

Visibility: pedantic
Show-Always: no
Check: files/unicode/trojan
This tag is experimental.

Affected packages

source version binary level tag count information
bandit 1.7.10-2 experimental unicode-trojan 1 Contents U+2066 "LEFT-TO-RIGHT ISOLATE" [examples/trojansource.py:4]
bandit 1.7.10-2 experimental unicode-trojan 1 Contents U+202E "RIGHT-TO-LEFT OVERRIDE" [examples/trojansource.py:4]
bandit 1.7.10-2 experimental unicode-trojan 1 Contents U+2069 "POP DIRECTIONAL ISOLATE" [examples/trojansource.py:4]
firefox 142.0.1-1 experimental unicode-trojan 1 Contents U+2067 "RIGHT-TO-LEFT ISOLATE" [tools/lint/test/files/trojan-source/early-return.py:5]
firefox-esr 128.14.0esr-1 experimental unicode-trojan 1 Contents U+2067 "RIGHT-TO-LEFT ISOLATE" [tools/lint/test/files/trojan-source/early-return.py:5]
funcoeszz 21.1-1 funcoeszz/21.1-1 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [usr/bin/funcoeszz:20002]
funcoeszz 21.1-1 funcoeszz/21.1-1 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [usr/bin/funcoeszz:20001]
funcoeszz 21.1-1 funcoeszz/21.1-1 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [usr/bin/funcoeszz:19615]
funcoeszz 21.1-1 funcoeszz/21.1-1 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [usr/bin/funcoeszz:3926]
funcoeszz 21.1-1 funcoeszz/21.1-1 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [usr/bin/funcoeszz:3925]
funcoeszz 21.1-1 funcoeszz/21.1-1 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [usr/bin/funcoeszz:19616]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/xgettext-17:46]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [gettext-tools/tests/xgettext-tcl-4:42]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/msgconv-8:20]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/msgconv-8:16]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/msgcat-22:20]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/msgcat-22:16]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/xgettext-17:46]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/xgettext-17:50]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/xgettext-17:50]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/msgcat-22:20]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/msgcat-22:16]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/msgconv-8:16]
gettext 0.23.1-2 experimental unicode-trojan 1 Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/msgconv-8:20]
konwert 1.8-15 konwert-filters/1.8-15 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [usr/share/konwert/filters/htmlent-UTF8:539]
konwert 1.8-15 konwert-filters/1.8-15 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [usr/share/konwert/filters/mnemonic-UTF8:1096]
konwert 1.8-15 konwert-filters/1.8-15 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [usr/share/konwert/filters/mnemonic-UTF8:1097]
konwert 1.8-15 konwert-filters/1.8-15 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [usr/share/konwert/filters/htmlent-UTF8:540]
konwert 1.8-15 konwert-filters/1.8-15 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [usr/share/konwert/filters/mnemonic1-UTF8:1097]
konwert 1.8-15 konwert-filters/1.8-15 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [usr/share/konwert/filters/mnemonic1-UTF8:1096]
konwert 1.8-15 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [filters/mnemonic1-UTF8:1096]
konwert 1.8-15 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [filters/mnemonic-UTF8:1096]
konwert 1.8-15 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [filters/mnemonic-UTF8:1097]
konwert 1.8-15 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [filters/htmlent-UTF8:540]
konwert 1.8-15 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [filters/mnemonic1-UTF8:1097]
konwert 1.8-15 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [filters/htmlent-UTF8:539]
nvidia-graphics-drivers 555.58.02-1 overridden unicode-trojan 1 Contents U+61C "ARABIC LETTER MARK" [arm64/NVIDIA-Linux-aarch64-555.58.02.run:290505]
nvidia-graphics-drivers-tesla 525.147.05-16 overridden unicode-trojan 1 Contents U+61C "ARABIC LETTER MARK" [amd64/NVIDIA-Linux-x86_64-525.147.05.run:1075261]
nvidia-graphics-drivers-tesla-470 470.256.02-7 overridden unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [arm64/NVIDIA-Linux-aarch64-470.256.02.run:487285]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:96]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:94]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:61]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:85]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:59]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:45]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:44]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:86]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:43]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:84]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:95]
orca 48.1-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:60]
qelectrotech 1:0.9-3 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [misc/translations_stat.pl:151]
rust-stfu8 0.2.6-2 librust-stfu8-dev/0.2.6-2+b2 experimental unicode-trojan 9 Contents U+200E "LEFT-TO-RIGHT MARK" [usr/share/cargo/registry/stfu8-0.2.6/tests/sanity.rs:99]
rust-stfu8 0.2.6-2 librust-stfu8-dev/0.2.6-2+b2 experimental unicode-trojan 9 Contents U+200F "RIGHT-TO-LEFT MARK" [usr/share/cargo/registry/stfu8-0.2.6/tests/sanity.rs:99]
rust-stfu8 0.2.6-2 experimental unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [tests/sanity.rs:99]
rust-stfu8 0.2.6-2 experimental unicode-trojan 1 Contents U+200F "RIGHT-TO-LEFT MARK" [tests/sanity.rs:99]
sabnzbdplus 4.5.2+dfsg-1 sabnzbdplus/4.5.2+dfsg-1 overridden unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [usr/share/sabnzbdplus/sabnzbd/lang.py:134]
sabnzbdplus 4.5.2+dfsg-1 overridden unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [tools/make_mo.py:77]
sabnzbdplus 4.5.2+dfsg-1 overridden unicode-trojan 1 Contents U+200E "LEFT-TO-RIGHT MARK" [sabnzbd/lang.py:134]
tarantool 2.6.0-1.4 experimental unicode-trojan 1 Contents U+202B "RIGHT-TO-LEFT EMBEDDING" [test/sql-tap/collation_unicode.test.lua:325]
tarantool 2.6.0-1.4 experimental unicode-trojan 1 Contents U+202C "POP DIRECTIONAL FORMATTING" [test/sql-tap/collation_unicode.test.lua:330]
thrift 0.19.0-4 experimental unicode-trojan 1 Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/py/TestClient.py:99]
thrift 0.19.0-4 experimental unicode-trojan 1 Contents U+202C "POP DIRECTIONAL FORMATTING" [test/py/TestClient.py:100]
thrift 0.19.0-4 experimental unicode-trojan 1 Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/rb/integration/TestClient.rb:143]
thrift 0.19.0-4 experimental unicode-trojan 1 Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/py/TestClient.py:100]
thrift 0.19.0-4 experimental unicode-trojan 1 Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/rb/integration/TestClient.rb:144]
thrift 0.19.0-4 experimental unicode-trojan 1 Contents U+202C "POP DIRECTIONAL FORMATTING" [test/rb/integration/TestClient.rb:144]
thrift 0.20.0-1 experimental unicode-trojan 1 Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/rb/integration/TestClient.rb:143]
thrift 0.20.0-1 experimental unicode-trojan 1 Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/py/TestClient.py:100]
thrift 0.20.0-1 experimental unicode-trojan 1 Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/rb/integration/TestClient.rb:144]
thrift 0.20.0-1 experimental unicode-trojan 1 Contents U+202C "POP DIRECTIONAL FORMATTING" [test/py/TestClient.py:100]
thrift 0.20.0-1 experimental unicode-trojan 1 Contents U+202C "POP DIRECTIONAL FORMATTING" [test/rb/integration/TestClient.rb:144]
thrift 0.20.0-1 experimental unicode-trojan 1 Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/py/TestClient.py:99]
thunderbird 1:128.14.0esr-1 experimental unicode-trojan 1 Contents U+2067 "RIGHT-TO-LEFT ISOLATE" [tools/lint/test/files/trojan-source/early-return.py:5]
thunderbird 1:140.2.0esr-1 experimental unicode-trojan 1 Contents U+2067 "RIGHT-TO-LEFT ISOLATE" [tools/lint/test/files/trojan-source/early-return.py:5]