Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1221789C for ; Wed, 2 Dec 2015 18:44:57 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pa0-f42.google.com (mail-pa0-f42.google.com [209.85.220.42]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A178C1D5 for ; Wed, 2 Dec 2015 18:44:56 +0000 (UTC) Received: by pacdm15 with SMTP id dm15so48015862pac.3 for ; Wed, 02 Dec 2015 10:44:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:disposition-notification-to:date:from:user-agent :mime-version:to:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=yQ3SI7iYK45QoAWijF0F1inA2NMhHTKCRFdLozcXEYw=; b=Vya7sifVbT4cLKgYZoSxI0tPZw6vEdEGGmO5/rkcngHtkh6DQDmbtGZBI4ZDNkw0uk 51sWNEOMdsI1LuyBmYjAbyU5/PMEQ1TOAxI2zwJ6/wGkXioldd24dceyeZlhjWxQLbWU GuQ8F0YZ23vzYO6doD1j+1/BP0e0yM4Hw+7McRKp0B3CzsFa6RjZ7AXS0NJeAi4tpWH2 84aQVFtRHahB/ooZJIAEiYXQamtp12pqeCXCky8uMrq+FCNjIwiQ9EYBjXLonnDnRX5j E2yLNqSPqg2LzeZspKxHr+LC8LFkaaHRoDKQbKRNZkbyUN9xAtXc7gBH8tsYU0oyS0EH pd/Q== X-Received: by 10.98.10.197 with SMTP id 66mr6738904pfk.37.1449081896410; Wed, 02 Dec 2015 10:44:56 -0800 (PST) Received: from [10.1.10.22] (c-24-4-96-213.hsd1.ca.comcast.net. [24.4.96.213]) by smtp.googlemail.com with ESMTPSA id y83sm5784171pfi.85.2015.12.02.10.44.55 for (version=TLSv1/SSLv3 cipher=OTHER); Wed, 02 Dec 2015 10:44:55 -0800 (PST) Message-ID: <565F3C43.3040903@gmail.com> Date: Wed, 02 Dec 2015 10:45:23 -0800 From: Patrick Strateman User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0 MIME-Version: 1.0 To: bitcoin-dev@lists.linuxfoundation.org References: <565CD7D8.3070102@gmail.com> <90EF4E6C-9A71-4A35-A938-EAFC1A24DD24@mattcorallo.com> <04188281-6A0C-4178-B2CA-BDE799C4FE9F@Janik.cz> <565E30C6.1010002@bitcartel.com> <565E9EC7.50003@bitcartel.com> In-Reply-To: <565E9EC7.50003@bitcartel.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 02 Dec 2015 18:46:10 +0000 Subject: Re: [bitcoin-dev] [BIP Draft] Datastream compression of Blocks and Transactions X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 18:44:57 -0000 If compression is to be used a custom compression algorithm should be written. Bitcoin data is largely incompressible outside of a tiny subset of fields. On 12/01/2015 11:33 PM, Simon Liu via bitcoin-dev wrote: > Hi Pavel, > > (my earlier email was moderated, so the list can only see it via your > reply), > > Yes, an attacker could try and send malicious data to take advantage of > a compression library vulnerability... but is it that much worse than > existing attack vectors which might also result in denial of service, > crashes, remote execution? > > Peter, perhaps your BIP can look at possible ways to isolate the > decompression phase, such as having incoming compressed blocks be saved > to a quarantine folder and an external process/daemon decompress and > verify the block's hash? > > Regards, > Simon > > > On 12/01/2015 10:47 PM, Pavel Janík wrote: >>> On 02 Dec 2015, at 00:44, Simon Liu wrote: >>> >>> Hi Matt/Pavel, >>> >>> Why is it scary/undesirable? Thanks. >> Select your preferable compression library and google for it with +CVE. >> >> E.g. in zlib: >> >> http://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/GNU-Zlib.html >> >> …allows remote attackers to cause a denial of service (crash) via a crafted compressed stream… >> …allows remote attackers to cause a denial of service (application crash)… >> etc. >> >> Do you want to expose such lib to the potential attacker? >> -- >> Pavel Janík >> >> >> >> > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev