Hello,
I observer a Unicode check failure in fedora-ci.koji-build.rpminspect.static-analysis test on perl-Prima-1.70-1.fc40 package in Fedora CI https://bodhi.fedoraproject.org/updates/FEDORA-2023-54d3e14b6e:
A forbidden code point, 0x202D, was found in the Prima-1.70/Prima/Drawable/Glyphs.pm source file on line 999 at column 3. This source file is used by perl-Prima.spec.
Suggested remedy:
The rpminspect configuration file contains a list of forbidden Unicode code points. One was found in the extracted and patched source tree or in one of the text source files in the source RPM. Either remove this code point or discuss the situation with the Product Security Team to determine the correct course of action.
This is an excerpt from the Glyphs.pm file:
995 =for latex-makedoc cut 996 997 use Prima; 998 $::application-> begin_paint; 999 $::application-> text_shape_out('אפס123', 0,0); 1000 1001 123ספא 1002 1003 =for latex-makedoc cut
As you can see it's a text from a documentation in POD format. The documentation is interleaved with a Perl code.
I classify the test finding a false positive because Fedora rpminspect policy excludes documentation files. Though rpminspect cannot split a documentation from a code in a single file.
I tried to disable the unicode check with a local rpminspect.yaml file, but rpminspect insists on security checks not to be overrided be pacakge:
$ rpminspect -c /usr/share/rpminspect/fedora.yaml -T unicode perl-Prima-1.70-1.fc40.src.rpm rpminspect: *** ignoring 'unicode' section in /tmp/rpminspect.yaml; only allowed in system-wide configuration
My questions:
Do you agree it's a false positve? Can you sanction ammending Fedora rpminspct policy with:
unicode: ignore: # 0x202D character used on purpose to demonstrate RLE in # a documentation. - Prima-*/Prima/Drawable/Glyphs.pm
-- Petr
My questions:
Do you agree it's a false positve? Can you sanction ammending Fedora rpminspct policy with:
unicode: ignore: # 0x202D character used on purpose to demonstrate RLE in # a documentation. - Prima-*/Prima/Drawable/Glyphs.pm
+1, sounds reasonable to me, although maybe rpminspect should continue logging such instances for future audit, without blocking updates.
Thanks, Sid
On Wed, Sep 06, 2023 at 04:15:48PM -0000, Siddhesh Poyarekar wrote:
My questions:
Do you agree it's a false positve? Can you sanction ammending Fedora rpminspct policy with:
unicode: ignore: # 0x202D character used on purpose to demonstrate RLE in # a documentation. - Prima-*/Prima/Drawable/Glyphs.pm
+1, sounds reasonable to me, although maybe rpminspect should continue logging such instances for future audit, without blocking updates.
yeah, it seems odd to block fedora updates here.
I wouldn't think this should be blocking in fedora...and I agree this is a false positive here.
kevin
On Wed, Sep 6, 2023 at 2:01 PM Kevin Fenzi kevin@scrye.com wrote:
On Wed, Sep 06, 2023 at 04:15:48PM -0000, Siddhesh Poyarekar wrote:
My questions:
Do you agree it's a false positve? Can you sanction ammending Fedora rpminspct policy with:
unicode: ignore: # 0x202D character used on purpose to demonstrate RLE in # a documentation. - Prima-*/Prima/Drawable/Glyphs.pm+1, sounds reasonable to me, although maybe rpminspect should continue logging such instances for future audit, without blocking updates.
yeah, it seems odd to block fedora updates here.
I wouldn't think this should be blocking in fedora...and I agree this is a false positive here.
From a supply chain security perspective I think it's not a bad idea to block updates (unless there is a documented waiver) when it is first encountered, at least for now since the present state of things is such that RTL in code is unnatural. Maybe if it becomes more common in future to have, e.g. Arabic comments, the check could then be made smarter to look only for non-comment usage of bidi chars.
Thanks, Sid
On Wed, 6 Sep 2023 12:26:44 +0200 Petr Pisar wrote:
Hello,
I observer a Unicode check failure in fedora-ci.koji-build.rpminspect.static-analysis test on perl-Prima-1.70-1.fc40 package in Fedora CI https://bodhi.fedoraproject.org/updates/FEDORA-2023-54d3e14b6e:
A forbidden code point, 0x202D, was found in the Prima-1.70/Prima/Drawable/Glyphs.pm source file on line 999 at column 3. This source file is used by perl-Prima.spec. Suggested remedy: The rpminspect configuration file contains a list of forbidden Unicode code points. One was found in the extracted and patched source tree or in one of the text source files in the source RPM. Either remove this code point or discuss the situation with the Product Security Team to determine the correct course of action.This is an excerpt from the Glyphs.pm file:
995 =for latex-makedoc cut 996 997 use Prima; 998 $::application-> begin_paint; 999 $::application-> text_shape_out('אפס123', 0,0); 1000 1001 123ספא 1002 1003 =for latex-makedoc cut
As you can see it's a text from a documentation in POD format. The documentation is interleaved with a Perl code.
I classify the test finding a false positive because Fedora rpminspect policy excludes documentation files. Though rpminspect cannot split a documentation from a code in a single file.
I tried to disable the unicode check with a local rpminspect.yaml file, but rpminspect insists on security checks not to be overrided be pacakge:
$ rpminspect -c /usr/share/rpminspect/fedora.yaml -T unicode perl-Prima-1.70-1.fc40.src.rpm rpminspect: *** ignoring 'unicode' section in /tmp/rpminspect.yaml; only allowed in system-wide configuration
My questions:
Do you agree it's a false positve? Can you sanction ammending Fedora rpminspct policy with:
unicode: ignore: # 0x202D character used on purpose to demonstrate RLE in # a documentation. - Prima-*/Prima/Drawable/Glyphs.pm
Cases like this are handled by adding suppression rules define in the security directory of the rpminspect-data package:
https://github.com/rpminspect/rpminspect-data-fedora/tree/main/security
You can find few rules for the unicode inspection there. Open a PR to add new entries.
V Wed, Sep 06, 2023 at 09:34:41PM +0200, Tomas Hoger napsal(a):
Cases like this are handled by adding suppression rules define in the security directory of the rpminspect-data package:
https://github.com/rpminspect/rpminspect-data-fedora/tree/main/security
You can find few rules for the unicode inspection there. Open a PR to add new entries.
Thanks for the pointer. I opened https://github.com/rpminspect/rpminspect-data-fedora/pull/43.
-- Petr
security@lists.fedoraproject.org
-
Kevin Fenzi -
Petr Pisar -
Siddhesh Poyarekar -
Tomas Hoger