Return-Path: <patrick.strateman@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 1221789C
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  2 Dec 2015 18:44:57 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pa0-f42.google.com (mail-pa0-f42.google.com
	[209.85.220.42])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A178C1D5
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  2 Dec 2015 18:44:56 +0000 (UTC)
Received: by pacdm15 with SMTP id dm15so48015862pac.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 02 Dec 2015 10:44:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:disposition-notification-to:date:from:user-agent
	:mime-version:to:subject:references:in-reply-to:content-type
	:content-transfer-encoding;
	bh=yQ3SI7iYK45QoAWijF0F1inA2NMhHTKCRFdLozcXEYw=;
	b=Vya7sifVbT4cLKgYZoSxI0tPZw6vEdEGGmO5/rkcngHtkh6DQDmbtGZBI4ZDNkw0uk
	51sWNEOMdsI1LuyBmYjAbyU5/PMEQ1TOAxI2zwJ6/wGkXioldd24dceyeZlhjWxQLbWU
	GuQ8F0YZ23vzYO6doD1j+1/BP0e0yM4Hw+7McRKp0B3CzsFa6RjZ7AXS0NJeAi4tpWH2
	84aQVFtRHahB/ooZJIAEiYXQamtp12pqeCXCky8uMrq+FCNjIwiQ9EYBjXLonnDnRX5j
	E2yLNqSPqg2LzeZspKxHr+LC8LFkaaHRoDKQbKRNZkbyUN9xAtXc7gBH8tsYU0oyS0EH
	pd/Q==
X-Received: by 10.98.10.197 with SMTP id 66mr6738904pfk.37.1449081896410;
	Wed, 02 Dec 2015 10:44:56 -0800 (PST)
Received: from [10.1.10.22] (c-24-4-96-213.hsd1.ca.comcast.net. [24.4.96.213])
	by smtp.googlemail.com with ESMTPSA id
	y83sm5784171pfi.85.2015.12.02.10.44.55
	for <bitcoin-dev@lists.linuxfoundation.org>
	(version=TLSv1/SSLv3 cipher=OTHER);
	Wed, 02 Dec 2015 10:44:55 -0800 (PST)
Message-ID: <565F3C43.3040903@gmail.com>
Date: Wed, 02 Dec 2015 10:45:23 -0800
From: Patrick Strateman <patrick.strateman@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Icedove/31.8.0
MIME-Version: 1.0
To: bitcoin-dev@lists.linuxfoundation.org
References: <565CD7D8.3070102@gmail.com>	<90EF4E6C-9A71-4A35-A938-EAFC1A24DD24@mattcorallo.com>	<04188281-6A0C-4178-B2CA-BDE799C4FE9F@Janik.cz>	<565E30C6.1010002@bitcartel.com>	<AF49F870-0600-47D1-8AC6-EEBFAA5B1C24@Janik.cz>
	<565E9EC7.50003@bitcartel.com>
In-Reply-To: <565E9EC7.50003@bitcartel.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 02 Dec 2015 18:46:10 +0000
Subject: Re: [bitcoin-dev] [BIP Draft] Datastream compression of Blocks and
 Transactions
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 18:44:57 -0000

If compression is to be used a custom compression algorithm should be
written.

Bitcoin data is largely incompressible outside of a tiny subset of fields.

On 12/01/2015 11:33 PM, Simon Liu via bitcoin-dev wrote:
> Hi Pavel,
>
> (my earlier email was moderated, so the list can only see it via your
> reply),
>
> Yes, an attacker could try and send malicious data to take advantage of
> a compression library vulnerability...  but is it that much worse than
> existing attack vectors which might also result in denial of service,
> crashes, remote execution?
>
> Peter, perhaps your BIP can look at possible ways to isolate the
> decompression phase, such as having incoming compressed blocks be saved
> to a quarantine folder and an external process/daemon decompress and
> verify the block's hash?
>
> Regards,
> Simon
>
>
> On 12/01/2015 10:47 PM, Pavel Janík wrote:
>>> On 02 Dec 2015, at 00:44, Simon Liu <simon@bitcartel.com> wrote:
>>>
>>> Hi Matt/Pavel,
>>>
>>> Why is it scary/undesirable?  Thanks.
>> Select your preferable compression library and google for it with +CVE.
>>
>> E.g. in zlib:
>>
>> http://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/GNU-Zlib.html
>>
>> …allows remote attackers to cause a denial of service (crash) via a crafted compressed stream…
>> …allows remote attackers to cause a denial of service (application crash)…
>> etc.
>>
>> Do you want to expose such lib to the potential attacker?
>> --  
>> Pavel Janík
>>
>>
>>
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev