[tex-k] BiDi Trojan Source Code
don.hosek at gmail.com
Tue Nov 2 16:41:18 CET 2021
I’ve been thinking about this since I first heard about it and I think that TeX is a minimal attack vector in that it has minimal access to the system, although I suppose there is always the danger of someone running TeX in their home directory and a malicious input file writes to .profile or somesuch, but that’s an attack vector independent of this given that most people don’t necessarily inspect the source of TeX files before running.
I think it might be worth prohibiting writing to dot files and/or the home directory as a matter of safety.
> On 2 Nov 2021, at 10:26, Doug McKenna <doug at mathemaesthetics.com> wrote:
> This is quite the security bug:
> “Bringing all this together, we arrive at a novel supply-chain attack on source code. By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B.”
> I'm wondering whether it affects TeX in some way.
> Doug McKenna
More information about the tex-k