[tex-k] BiDi Trojan Source Code

Doug McKenna doug at mathemaesthetics.com
Tue Nov 2 16:26:44 CET 2021

This is quite the security bug:


“Bringing all this together, we arrive at a novel supply-chain attack on source code. By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B.”

I'm wondering whether it affects TeX in some way.

Doug McKenna

More information about the tex-k mailing list.