SUSE Support

Here When You Need Us

Security vulnerability: Trojan Source, invisible source code vulnerabilities. (CVE-2021-42574)

This document (000020535) is provided subject to the disclaimer at the end of this document.

Environment

All products

Situation

CVE-2021-42574 ('Trojan Source') refers to vulnerabilities that can come about through the use of bi-directional unicode text in contexts where it is not properly displayed.  Various source-code viewers and editors currently do not show content which is "visually hidden by unicode".  These may include editors and pagers such as vi, emacs and less as well as the web interfaces of tools that display source code.

The failure to display such things as bidirectional control characters can lead to a situation in which source code when compiled or interpreted behaves in ways that someone seeing the displayed text would not expect.

This is not a compiler issue, but future compiler versions will also have options or features to display warnings in cases where such special unicode characters are used.
 

Resolution

Even where this does not affect SUSE products directly, SUSE is currently taking action to harden the supply chain for SUSE products in order to detect any such unicode sequences in code that could have harmful effects.

Cause

Unicode supports both left-to-right and right-to-left languages, and it makes use of invisible codepoints called "bidirectional override" to aid writing left-to-right words inside a right-to-left sentence. It is common to find these inside a sentence of another language to embed a word with a different text direction.  Researchers discovered that these codepoints could be misused to manipulate how source code is displayed in some editors and code review tools, fooling a reviewer into approving code that behaves in unexpected ways (potentially maliciously).

Status

Security Alert

Additional Information

Additional information can be found at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020535
  • Creation Date: 05-Jan-2022
  • Modified Date:14-Jan-2022
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server
    • SUSE Manager Server
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.