On 11/4/2021 10:44 AM, Bill Cole wrote:
On 2021-11-04 at 08:45:02 UTC-0400 (Thu, 4 Nov 2021 08:45:02 -0400)
Jared Hall <ja...@jaredsec.com>
is rumored to have said:
[...]
2) Beware of using somebody else's source code :)
That's the really significant warning...
Agreed. Does one need to write a paper and publish a couple of CVEs for
that? I thought Mitre or whoever runs CVE nowadays would triage these
types of reports through a "Captain Obvious" department to sort Wants
from Needs.
We do not currently publish non-ASCII rules in the default ruleset
channel. I don't believe that KAM ever does so.
KAM certainly has. I do recall seeing at least an infinity symbol as
well as the Euro symbol in his rulesets last I looked. NBD, works
anyway. I crank out hex when dealing with Unicode, and I have tons of
that. I have a nice Unicode converter that works on strings. One of
these days I'll change it to parse entire files; Heinlein's stuff for
instance.
In v4.x, Unicode support will be better. That also means it may be
easier to make this sort of attack quieter in the future, as non-ASCII
rules won't be definitively wrong as they are now.
I have my own thoughts/reservations about distributing Unicode
rulesets. Challenging days ahead, to be sure. It'd sure be nice to get
sa-compile to run entirely clean though.
Thanks,
-- Jared Hall
