[tex-k] BiDi Trojan Source Code

Doug McKenna doug at mathemaesthetics.com
Tue Nov 2 16:26:44 CET 2021


This is quite the security bug:

  <https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/>

“Bringing all this together, we arrive at a novel supply-chain attack on source code. By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B.”

I'm wondering whether it affects TeX in some way.

Doug McKenna



More information about the tex-k mailing list.