diff options
| author | Simon Liu <simon@bitcartel.com> | 2015-12-01 23:33:27 -0800 |
|---|---|---|
| committer | bitcoindev <bitcoindev@gnusha.org> | 2015-12-02 07:33:34 +0000 |
| commit | 65c9136db524fcded9ff6aa2abcfeb77d395ea02 (patch) | |
| tree | bf1ba356ffee14af6c052803cc79ac36271ff914 | |
| parent | fd55e494183e9a56cb702cc8f04a2ebfc02b74e1 (diff) | |
| download | pi-bitcoindev-65c9136db524fcded9ff6aa2abcfeb77d395ea02.tar.gz pi-bitcoindev-65c9136db524fcded9ff6aa2abcfeb77d395ea02.zip | |
Re: [bitcoin-dev] [BIP Draft] Datastream compression of Blocks and Transactions
| -rw-r--r-- | 9d/8153e09fa4dd5dd00ff65bf0c5f1a5a15eedc7 | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/9d/8153e09fa4dd5dd00ff65bf0c5f1a5a15eedc7 b/9d/8153e09fa4dd5dd00ff65bf0c5f1a5a15eedc7 new file mode 100644 index 000000000..23e7a83e9 --- /dev/null +++ b/9d/8153e09fa4dd5dd00ff65bf0c5f1a5a15eedc7 @@ -0,0 +1,127 @@ +Return-Path: <simon@bitcartel.com> +Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org + [172.17.192.35]) + by mail.linuxfoundation.org (Postfix) with ESMTPS id 9562586 + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 2 Dec 2015 07:33:34 +0000 (UTC) +X-Greylist: whitelisted by SQLgrey-1.7.6 +Received: from mail-pa0-f47.google.com (mail-pa0-f47.google.com + [209.85.220.47]) + by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6B8DF12D + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 2 Dec 2015 07:33:33 +0000 (UTC) +Received: by padhx2 with SMTP id hx2so32690538pad.1 + for <bitcoin-dev@lists.linuxfoundation.org>; + Tue, 01 Dec 2015 23:33:33 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=bitcartel-com.20150623.gappssmtp.com; s=20150623; + h=subject:to:references:cc:from:message-id:date:user-agent + :mime-version:in-reply-to:content-type:content-transfer-encoding; + bh=ASj30KmPhEwJPehDMHjfZQZhRJwfjVdM8nCMq6F/pcI=; + b=Rr4TSH1dVlye8kZ/PNY4X+b4QKmRyZJQU1gylgB0KiloG9BTt6CKseYOiV9SgPYudn + KS8dm/7Z+mNm5X97/TECgiKOIb8GtewkjcIVbR5LPKSmkafBlQiu7N4oSYNQ9S/zO+ZB + DRp4Ov33n9kCEg1jR7ubOBo112cAKcU28S0jnyYgAbF+RrogS0PGdsO7FJ/48uB/I/7i + j8LXybYMIwAp2Paaih9+DoH8i0/KaQAOnE/AFF0T/pKeUIyrngxkBoRs8nJ2YKmbK/zN + RPCsFoG+F+IJI8RNSYzOkqjGvbT5jldOB2uzsJBJEnutO7tQ7bpikH5Ia0urlqN8ZL2k + O0pg== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20130820; + h=x-gm-message-state:subject:to:references:cc:from:message-id:date + :user-agent:mime-version:in-reply-to:content-type + :content-transfer-encoding; + bh=ASj30KmPhEwJPehDMHjfZQZhRJwfjVdM8nCMq6F/pcI=; + b=aUnng3CpsplvrCfyqVMcTQ8MS3U9TfbUnh/DP2sfG4LY5Nk8N2qu4ZHRTxLpyEC4Mo + n8Uc2GVEyf463kGL5P4toGt3TgVhXS1D8e/FO+8DEZFm24Nvx3w0AxCXGA5s18KckC2M + LAUuKWA6rv7jk1sJ6NR+r4P+4p38r0m0mtosif5887PXIyB/h0itNp8MABIjSUE0OttR + wtZzYvUaavfVOCwz4MySDwxfiPyqWsdE3ZS/PiQUK9w7AXfy0nwiPauiC24+uDCoTTXO + oqYYmzL09PeJNviGJ2lTJX0vkf/+MVMnlSsdVwcpM/Ptjxllnr9jC5zibbo01XENFzUd + YSbw== +X-Gm-Message-State: ALoCoQkvZt8b3RRTJcjN1bmZMp+YZpMf2ockltT8KTIMjCRWuX2hXg4XWi5R22qnP0oYbdPVPe8T +X-Received: by 10.98.15.215 with SMTP id 84mr2501612pfp.49.1449041613095; + Tue, 01 Dec 2015 23:33:33 -0800 (PST) +Received: from [192.168.2.5] (c-73-162-159-241.hsd1.ca.comcast.net. + [73.162.159.241]) by smtp.googlemail.com with ESMTPSA id + 7sm2190586pfb.78.2015.12.01.23.33.27 + (version=TLSv1/SSLv3 cipher=OTHER); + Tue, 01 Dec 2015 23:33:28 -0800 (PST) +To: =?UTF-8?Q?Pavel_Jan=c3=adk?= <Pavel@Janik.cz> +References: <565CD7D8.3070102@gmail.com> + <90EF4E6C-9A71-4A35-A938-EAFC1A24DD24@mattcorallo.com> + <04188281-6A0C-4178-B2CA-BDE799C4FE9F@Janik.cz> + <565E30C6.1010002@bitcartel.com> + <AF49F870-0600-47D1-8AC6-EEBFAA5B1C24@Janik.cz> +From: Simon Liu <simon@bitcartel.com> +Message-ID: <565E9EC7.50003@bitcartel.com> +Date: Tue, 1 Dec 2015 23:33:27 -0800 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 + Thunderbird/38.3.0 +MIME-Version: 1.0 +In-Reply-To: <AF49F870-0600-47D1-8AC6-EEBFAA5B1C24@Janik.cz> +Content-Type: text/plain; charset=utf-8 +Content-Transfer-Encoding: 8bit +X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, + DKIM_VALID,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + smtp1.linux-foundation.org +X-Mailman-Approved-At: Wed, 02 Dec 2015 15:42:41 +0000 +Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org> +Subject: Re: [bitcoin-dev] [BIP Draft] Datastream compression of Blocks and + Transactions +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.12 +Precedence: list +List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Wed, 02 Dec 2015 07:33:34 -0000 + +Hi Pavel, + +(my earlier email was moderated, so the list can only see it via your +reply), + +Yes, an attacker could try and send malicious data to take advantage of +a compression library vulnerability... but is it that much worse than +existing attack vectors which might also result in denial of service, +crashes, remote execution? + +Peter, perhaps your BIP can look at possible ways to isolate the +decompression phase, such as having incoming compressed blocks be saved +to a quarantine folder and an external process/daemon decompress and +verify the block's hash? + +Regards, +Simon + + +On 12/01/2015 10:47 PM, Pavel Janík wrote: +> +>> On 02 Dec 2015, at 00:44, Simon Liu <simon@bitcartel.com> wrote: +>> +>> Hi Matt/Pavel, +>> +>> Why is it scary/undesirable? Thanks. +> +> Select your preferable compression library and google for it with +CVE. +> +> E.g. in zlib: +> +> http://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/GNU-Zlib.html +> +> …allows remote attackers to cause a denial of service (crash) via a crafted compressed stream… +> …allows remote attackers to cause a denial of service (application crash)… +> etc. +> +> Do you want to expose such lib to the potential attacker? +> -- +> Pavel Janík +> +> +> +> + |