阿里云漏洞库

漏洞描述

A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. An attacker could exploit this to deceive a human reviewer by creating a malicious patch containing well placed BiDi characters. The special handling and rendering of those characters can be then used in an attempt to hide unexpected and potentially dangerous behaviour from the reviewer.

解决建议

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：
https://access.redhat.com/security/cve/cve-2021-42574

参考链接
http://www.openwall.com/lists/oss-security/2021/11/01/1
http://www.openwall.com/lists/oss-security/2021/11/01/4
http://www.openwall.com/lists/oss-security/2021/11/01/5
http://www.openwall.com/lists/oss-security/2021/11/01/6
http://www.openwall.com/lists/oss-security/2021/11/02/10
http://www.unicode.org/versions/Unicode14.0.0/
https://access.redhat.com/security/cve/cve-2021-42574
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://security.gentoo.org/glsa/202210-09
https://trojansource.codes
https://www.kb.cert.org/vuls/id/999008
https://www.scyon.nl/post/trojans-in-your-source-code
https://www.starwindsoftware.com/security/sw-20220804-0002/
https://www.unicode.org/reports/tr31/
https://www.unicode.org/reports/tr36/
https://www.unicode.org/reports/tr39/
https://www.unicode.org/reports/tr9/tr9-44.html#HL4

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	unicode	unicode	*		Up to (excluding) 14.0.0
	运行在以下环境
	系统	alibaba_cloud_linux_2.1903	binutils	*		Up to (excluding) 2.27-44.base.1.al7.1
	运行在以下环境
	系统	alibaba_cloud_linux_3	rls	*		Up to (excluding) 1.54.0-3.al8
	运行在以下环境
	系统	alma_linux_8	gcc	*		Up to (excluding) 8.5.0-4.el8_5.alma
	运行在以下环境
	系统	alpine_3.15	rust	*		Up to (excluding) 1.56.1-r0
	运行在以下环境
	系统	alpine_3.16	rust	*		Up to (excluding) 1.56.1-r0
	运行在以下环境
	系统	alpine_3.17	rust	*		Up to (excluding) 1.56.1-r0
	运行在以下环境
	系统	alpine_3.18	rust	*		Up to (excluding) 1.56.1-r0
	运行在以下环境
	系统	alpine_3.19	rust	*		Up to (excluding) 1.56.1-r0
	运行在以下环境
	系统	amazon_2	gcc	*		Up to (excluding) 7.3.1-14.amzn2
	运行在以下环境
	系统	amazon_2022	gcc	*		Up to (excluding) 11.3.1-2.amzn2022.0.8
	运行在以下环境
	系统	amazon_2023	gcc	*		Up to (excluding) 11.3.1-4.amzn2023.0.2
	运行在以下环境
	系统	anolis_os_8	cpp	*		Up to (excluding) 8.5.0-4.0.1
	运行在以下环境
	系统	centos_7	binutils	*		Up to (excluding) 2.27-44.base.el7_9.1
	运行在以下环境
	系统	debian_12	rustc	*		Up to (excluding) 1.57.0+dfsg1-1
	运行在以下环境
	系统	fedora_33	rls	*		Up to (excluding) 1.56.1-1.fc33
	运行在以下环境
	系统	fedora_34	rls	*		Up to (excluding) 1.56.1-1.fc34
	运行在以下环境
	系统	fedora_35	rls	*		Up to (excluding) 1.56.1-1.fc35
	运行在以下环境
	系统	fedora_EPEL_7	rls	*		Up to (excluding) 1.56.1-1.el7
	运行在以下环境
	系统	kylinos_aarch64_V10	binutils	*		Up to (excluding) 2.27-44.base.el7_9.1
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	binutils	*		Up to (excluding) 2.34-19.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10	binutils	*		Up to (excluding) 2.27-44.base.el7_9.1
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	binutils	*		Up to (excluding) 2.34-19.ky10
	运行在以下环境
	系统	oracle_7	binutils	*		Up to (excluding) 2.27-44.base.0.3.el7_9.1
	运行在以下环境
	系统	oracle_8	cpp	*		Up to (excluding) 8.5.0-4.0.1.el8_5
	运行在以下环境
	系统	redhat_7	binutils	*		Up to (excluding) 2.27-44.base.el7_9.1
	运行在以下环境
	系统	redhat_8	cpp	*		Up to (excluding) 8.5.0-4.el8_5
	运行在以下环境
	系统	rocky_linux_8	gcc	*		Up to (excluding) 8.5.0-4.el8_5
	运行在以下环境
	系统	ubuntu_20.04	rustc	*		Up to (excluding) 1.57.0+dfsg1+llvm-0ubuntu1~20.04.1
	运行在以下环境
	系统	ubuntu_22.04	rustc	*		Up to (excluding) 1.57.0+dfsg1+llvm-0ubuntu2

攻击路径

远程
攻击复杂度

复杂
权限要求

无需权限
影响范围

全局影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

数据泄露
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-94	对生成代码的控制不恰当（代码注入）

中危 Unicode's bidirectional (BiDi) override characters can cause trojan source attacks

漏洞描述

解决建议

参考链接

受影响软件情况