Lintian tag: unicode-trojan

Type: pedantic

Description (from `lintian-explain-tags`)

The named text file contains a Unicode codepoint that has been identified
as a potential security risk.

There are two distinct attack vectors. One is homoglyphs in which text
looks confusingly similar to what a reader might expects, but is actually
different. The second is birectional attacks, in which the rendered text
hides potentially malicious characters.

Here are the relevant codepoints:

- ARABIC LETTER MARK (U+061C)
- LEFT-TO-RIGHT MARK (U+200E)
- RIGHT-TO-LEFT MARK (U+200F)
- LEFT-TO-RIGHT EMBEDDING (U+202A)
- RIGHT-TO-LEFT EMBEDDING (U+202B)
- POP DIRECTIONAL FORMATTING (U+202C)
- LEFT-TO-RIGHT OVERRIDE (U+202D)
- RIGHT-TO-LEFT OVERRIDE (U+202E)
- LEFT-TO-RIGHT ISOLATE (U+2066)
- RIGHT-TO-LEFT ISOLATE (U+2067)
- FIRST STRONG ISOLATE (U+2068)
- POP DIRECTIONAL ISOLATE (U+2069)

You can also run a similar check in your shell with that command:

grep -r $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069]'

The registered vulnerabilities are CVE-2021-42694 ("Homoglyph") and
CVE-2021-42574 ("Bidirectional Attack").

Please refer to https://nvd.nist.gov/vuln/detail/CVE-2021-42694,
https://nvd.nist.gov/vuln/detail/CVE-2021-42574,
https://www.trojansource.codes,
https://www.trojansource.codes/trojan-source.pdf,
https://en.wikipedia.org/wiki/Bidirectional_text,
https://www.ida.org/research-and-publications/publications/all/i/in/initial-analysis-of-underhanded-source-code,
and
https://www.ida.org/-/media/feature/publications/i/in/initial-analysis-of-underhanded-source-code/d-13166.ashx
for details.

Visibility: pedantic
Show-Always: no
Check: files/unicode/trojan
This tag is experimental.

Affected packages

source	version	binary	tag type	tag	information	count
bandit	1.7.10-1		experimental	unicode-trojan	Contents U+2066 "LEFT-TO-RIGHT ISOLATE" [examples/trojansource.py:4]	1
bandit	1.7.10-1		experimental	unicode-trojan	Contents U+2069 "POP DIRECTIONAL ISOLATE" [examples/trojansource.py:4]	1
bandit	1.7.10-1		experimental	unicode-trojan	Contents U+202E "RIGHT-TO-LEFT OVERRIDE" [examples/trojansource.py:4]	1
firefox	132.0.2-1		experimental	unicode-trojan	Contents U+2067 "RIGHT-TO-LEFT ISOLATE" [tools/lint/test/files/trojan-source/early-return.py:5]	1
firefox-esr	128.4.0esr-1		experimental	unicode-trojan	Contents U+2067 "RIGHT-TO-LEFT ISOLATE" [tools/lint/test/files/trojan-source/early-return.py:5]	1
funcoeszz	21.1-1	funcoeszz/21.1-1	experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [usr/bin/funcoeszz:3925]	1
funcoeszz	21.1-1	funcoeszz/21.1-1	experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [usr/bin/funcoeszz:20002]	1
funcoeszz	21.1-1	funcoeszz/21.1-1	experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [usr/bin/funcoeszz:20001]	1
funcoeszz	21.1-1	funcoeszz/21.1-1	experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [usr/bin/funcoeszz:19615]	1
funcoeszz	21.1-1	funcoeszz/21.1-1	experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [usr/bin/funcoeszz:3926]	1
funcoeszz	21.1-1	funcoeszz/21.1-1	experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [usr/bin/funcoeszz:19616]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/msgcat-22:20]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/xgettext-17:50]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/msgconv-8:16]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/msgcat-22:16]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/xgettext-17:46]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/xgettext-17:46]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/xgettext-17:50]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/msgconv-8:20]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/msgconv-8:16]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [gettext-tools/tests/xgettext-tcl-4:42]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/msgconv-8:20]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2069 "POP DIRECTIONAL ISOLATE" [gettext-tools/tests/msgcat-22:16]	1
gettext	0.22.5-2		experimental	unicode-trojan	Contents U+2068 "FIRST STRONG ISOLATE" [gettext-tools/tests/msgcat-22:20]	1
konwert	1.8-13.2	konwert-filters/1.8-13.2	experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [usr/share/konwert/filters/htmlent-UTF8:540]	1
konwert	1.8-13.2	konwert-filters/1.8-13.2	experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [usr/share/konwert/filters/mnemonic-UTF8:1096]	1
konwert	1.8-13.2	konwert-filters/1.8-13.2	experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [usr/share/konwert/filters/mnemonic-UTF8:1097]	1
konwert	1.8-13.2	konwert-filters/1.8-13.2	experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [usr/share/konwert/filters/mnemonic1-UTF8:1097]	1
konwert	1.8-13.2	konwert-filters/1.8-13.2	experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [usr/share/konwert/filters/mnemonic1-UTF8:1096]	1
konwert	1.8-13.2	konwert-filters/1.8-13.2	experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [usr/share/konwert/filters/htmlent-UTF8:539]	1
konwert	1.8-13.2		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [filters/mnemonic1-UTF8:1096]	1
konwert	1.8-13.2		experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [filters/mnemonic-UTF8:1097]	1
konwert	1.8-13.2		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [filters/htmlent-UTF8:539]	1
konwert	1.8-13.2		experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [filters/mnemonic1-UTF8:1097]	1
konwert	1.8-13.2		experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [filters/htmlent-UTF8:540]	1
konwert	1.8-13.2		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [filters/mnemonic-UTF8:1096]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:94]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:45]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:44]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:43]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:86]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:84]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:61]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:95]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:96]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:59]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:60]	1
orca	47.1-1		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [test-historical/keystrokes/gnome-clocks/stop_watch_flat_review.py:85]	1
qelectrotech	1:0.9-2		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [misc/translations_stat.pl:151]	1
rust-stfu8	0.2.6-2	librust-stfu8-dev/0.2.6-2+b1	experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [usr/share/cargo/registry/stfu8-0.2.6/tests/sanity.rs:99]	9
rust-stfu8	0.2.6-2	librust-stfu8-dev/0.2.6-2+b1	experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [usr/share/cargo/registry/stfu8-0.2.6/tests/sanity.rs:99]	9
rust-stfu8	0.2.6-2		experimental	unicode-trojan	Contents U+200E "LEFT-TO-RIGHT MARK" [tests/sanity.rs:99]	1
rust-stfu8	0.2.6-2		experimental	unicode-trojan	Contents U+200F "RIGHT-TO-LEFT MARK" [tests/sanity.rs:99]	1
sbcl	2:2.4.10-2	sbcl/2:2.4.10-2	experimental	unicode-trojan	Contents U+61C "ARABIC LETTER MARK" [usr/lib/sbcl/contrib/uiop.fasl:3910]	1
tarantool	2.6.0-1.4		experimental	unicode-trojan	Contents U+202B "RIGHT-TO-LEFT EMBEDDING" [test/sql-tap/collation_unicode.test.lua:325]	1
tarantool	2.6.0-1.4		experimental	unicode-trojan	Contents U+202C "POP DIRECTIONAL FORMATTING" [test/sql-tap/collation_unicode.test.lua:330]	1
thrift	0.19.0-2.1		experimental	unicode-trojan	Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/py/TestClient.py:99]	1
thrift	0.19.0-2.1		experimental	unicode-trojan	Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/rb/integration/TestClient.rb:144]	1
thrift	0.19.0-2.1		experimental	unicode-trojan	Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/py/TestClient.py:100]	1
thrift	0.19.0-2.1		experimental	unicode-trojan	Contents U+202C "POP DIRECTIONAL FORMATTING" [test/rb/integration/TestClient.rb:144]	1
thrift	0.19.0-2.1		experimental	unicode-trojan	Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/rb/integration/TestClient.rb:143]	1
thrift	0.19.0-2.1		experimental	unicode-trojan	Contents U+202C "POP DIRECTIONAL FORMATTING" [test/py/TestClient.py:100]	1
thrift	0.20.0-1		experimental	unicode-trojan	Contents U+202C "POP DIRECTIONAL FORMATTING" [test/py/TestClient.py:100]	1
thrift	0.20.0-1		experimental	unicode-trojan	Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/rb/integration/TestClient.rb:143]	1
thrift	0.20.0-1		experimental	unicode-trojan	Contents U+202C "POP DIRECTIONAL FORMATTING" [test/rb/integration/TestClient.rb:144]	1
thrift	0.20.0-1		experimental	unicode-trojan	Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/py/TestClient.py:100]	1
thrift	0.20.0-1		experimental	unicode-trojan	Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/rb/integration/TestClient.rb:144]	1
thrift	0.20.0-1		experimental	unicode-trojan	Contents U+202A "LEFT-TO-RIGHT EMBEDDING" [test/py/TestClient.py:99]	1
thunderbird	1:128.4.3esr-1		experimental	unicode-trojan	Contents U+2067 "RIGHT-TO-LEFT ISOLATE" [tools/lint/test/files/trojan-source/early-return.py:5]	1
thunderbird	1:132.0~b6-1		experimental	unicode-trojan	Contents U+2067 "RIGHT-TO-LEFT ISOLATE" [tools/lint/test/files/trojan-source/early-return.py:5]	1

Lintian tag: unicode-trojan

Type: pedantic

Description (from lintian-explain-tags)

Affected packages

Description (from `lintian-explain-tags`)