|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Security advisory for rustc (CVE-2021-42574)" |
| 4 | +author: The Rust Security Response WG |
| 5 | +--- |
| 6 | + |
| 7 | +> This is a cross-post of [the official security advisory][advisory]. The |
| 8 | +> official advisory contains a signed version with our PGP key, as well. |
| 9 | +
|
| 10 | +[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/bKPH8XYMvJU |
| 11 | + |
| 12 | +The Rust Security Response WG was notified of a security concern affecting |
| 13 | +source code containing "bidirectional override" Unicode codepoints: in some |
| 14 | +cases the use of those codepoints could lead to the reviewed code being |
| 15 | +different than the compiled code. |
| 16 | + |
| 17 | +This is a vulnerability in the Unicode specification, and its assigned |
| 18 | +identifier is [CVE-2021-42574]. While the vulnerability itself is not a rustc |
| 19 | +flaw, we're taking proactive measures to mitigate its impact on Rust |
| 20 | +developers. |
| 21 | + |
| 22 | +## Overview |
| 23 | + |
| 24 | +Unicode has support for both left-to-right and right-to-left languages, and to |
| 25 | +aid writing left-to-right words inside a right-to-left sentence (or vice versa) |
| 26 | +it also features invisible codepoints called "bidirectional override". |
| 27 | + |
| 28 | +These codepoints are normally used across the Internet to embed a word inside a |
| 29 | +sentence of another language (with a different text direction), but it was |
| 30 | +reported to us that they could be used to manipulate how source code is |
| 31 | +displayed in some editors and code review tools, leading to the reviewed code |
| 32 | +being different than the compiled code. This is especially bad if the whole |
| 33 | +team relies on bidirectional-aware tooling. |
| 34 | + |
| 35 | +As an example, the following snippet (with `{U+NNNN}` replaced with the Unicode |
| 36 | +codepoint `NNNN`): |
| 37 | + |
| 38 | +```rust |
| 39 | +if access_level != "user{U+202E} {U+2066}// Check if admin{U+2069} {U+2066}" { |
| 40 | +``` |
| 41 | + |
| 42 | +...would be rendered by bidirectional-aware tools as: |
| 43 | + |
| 44 | +```rust |
| 45 | +if access_level != "user" { // Check if admin |
| 46 | +``` |
| 47 | + |
| 48 | +## Affected Versions |
| 49 | + |
| 50 | +Rust 1.56.1 introduces two new lints to detect and reject code containing the |
| 51 | +affected codepoints. Rust 1.0.0 through Rust 1.56.0 do not include such lints, |
| 52 | +leaving your source code vulnerable to this attack if you do not perform |
| 53 | +out-of-band checks for the presence of those codepoints. |
| 54 | + |
| 55 | +To assess the security of the ecosystem we analyzed all crate versions ever |
| 56 | +published on crates.io (as of 2021-10-17), and only 5 crates have the affected |
| 57 | +codepoints in their source code, with none of the occurrences being malicious. |
| 58 | + |
| 59 | +## Mitigations |
| 60 | + |
| 61 | +We will be releasing Rust 1.56.1 today, 2021-11-01, with two new |
| 62 | +deny-by-default lints detecting the affected codepoints, respectively in string |
| 63 | +literals and in comments. The lints will prevent source code files containing |
| 64 | +those codepoints from being compiled, protecting you from the attack. |
| 65 | + |
| 66 | +If your code has legitimate uses for the codepoints we recommend replacing them |
| 67 | +with the related escape sequence. The error messages will suggest the right |
| 68 | +escapes to use. |
| 69 | + |
| 70 | +If you can't upgrade your compiler version, or your codebase also includes |
| 71 | +non-Rust source code files, we recommend periodically checking that the |
| 72 | +following codepoints are not present in your repository and your dependencies: |
| 73 | +U+202A, U+202B, U+202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069. |
| 74 | + |
| 75 | +## Timeline of events |
| 76 | + |
| 77 | +* 2021-07-25: we received the report and started working on a fix. |
| 78 | +* 2021-09-14: the date for the embargo lift (2021-11-01) is communicated to us. |
| 79 | +* 2021-10-17: performed an analysis of all the source code ever published to |
| 80 | + crates.io to check for the presence of this attack. |
| 81 | +* 2021-11-01: embargo lifts, the vulnerability is disclosed and Rust 1.56.1 is |
| 82 | + released. |
| 83 | + |
| 84 | +## Acknowledgments |
| 85 | + |
| 86 | +Thanks to [Nicholas Boucher][1] and [Ross Anderson][2] from the University of |
| 87 | +Cambridge for disclosing this to us according to our [security policy][3]! |
| 88 | + |
| 89 | +We also want to thank the members of the Rust project who contributed to the |
| 90 | +mitigations for this issue. Thanks to Esteban Küber for developing the lints, |
| 91 | +Pietro Albini for leading the security response, and many others for their |
| 92 | +involvement, insights and feedback: Josh Stone, Josh Triplett, Manish |
| 93 | +Goregaokar, Mara Bos, Mark Rousskov, Niko Matsakis, and Steve Klabnik. |
| 94 | + |
| 95 | +## Appendix: Homoglyph attacks |
| 96 | + |
| 97 | +As part of their research, Nicholas Boucher and Ross Anderson also uncovered a |
| 98 | +similar security issue identified as [CVE-2021-42694] involving homoglyphs inside |
| 99 | +identifiers. Rust already includes mitigations for that attack since Rust |
| 100 | +1.53.0. Rust 1.0.0 through Rust 1.52.1 is not affected due to the lack of |
| 101 | +support for non-ASCII identifiers in those releases. |
| 102 | + |
| 103 | +[1]: https://github.com/nickboucher |
| 104 | +[2]: https://www.cl.cam.ac.uk/~rja14 |
| 105 | +[3]: https://www.rust-lang.org/policies/security |
| 106 | + |
| 107 | +[CVE-2021-42574]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574 |
| 108 | +[CVE-2021-42694]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42694 |
0 commit comments