1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
Return-Path: <patrick.strateman@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 1221789C
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 2 Dec 2015 18:44:57 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pa0-f42.google.com (mail-pa0-f42.google.com
[209.85.220.42])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A178C1D5
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 2 Dec 2015 18:44:56 +0000 (UTC)
Received: by pacdm15 with SMTP id dm15so48015862pac.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 02 Dec 2015 10:44:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=message-id:disposition-notification-to:date:from:user-agent
:mime-version:to:subject:references:in-reply-to:content-type
:content-transfer-encoding;
bh=yQ3SI7iYK45QoAWijF0F1inA2NMhHTKCRFdLozcXEYw=;
b=Vya7sifVbT4cLKgYZoSxI0tPZw6vEdEGGmO5/rkcngHtkh6DQDmbtGZBI4ZDNkw0uk
51sWNEOMdsI1LuyBmYjAbyU5/PMEQ1TOAxI2zwJ6/wGkXioldd24dceyeZlhjWxQLbWU
GuQ8F0YZ23vzYO6doD1j+1/BP0e0yM4Hw+7McRKp0B3CzsFa6RjZ7AXS0NJeAi4tpWH2
84aQVFtRHahB/ooZJIAEiYXQamtp12pqeCXCky8uMrq+FCNjIwiQ9EYBjXLonnDnRX5j
E2yLNqSPqg2LzeZspKxHr+LC8LFkaaHRoDKQbKRNZkbyUN9xAtXc7gBH8tsYU0oyS0EH
pd/Q==
X-Received: by 10.98.10.197 with SMTP id 66mr6738904pfk.37.1449081896410;
Wed, 02 Dec 2015 10:44:56 -0800 (PST)
Received: from [10.1.10.22] (c-24-4-96-213.hsd1.ca.comcast.net. [24.4.96.213])
by smtp.googlemail.com with ESMTPSA id
y83sm5784171pfi.85.2015.12.02.10.44.55
for <bitcoin-dev@lists.linuxfoundation.org>
(version=TLSv1/SSLv3 cipher=OTHER);
Wed, 02 Dec 2015 10:44:55 -0800 (PST)
Message-ID: <565F3C43.3040903@gmail.com>
Date: Wed, 02 Dec 2015 10:45:23 -0800
From: Patrick Strateman <patrick.strateman@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:31.0) Gecko/20100101 Icedove/31.8.0
MIME-Version: 1.0
To: bitcoin-dev@lists.linuxfoundation.org
References: <565CD7D8.3070102@gmail.com> <90EF4E6C-9A71-4A35-A938-EAFC1A24DD24@mattcorallo.com> <04188281-6A0C-4178-B2CA-BDE799C4FE9F@Janik.cz> <565E30C6.1010002@bitcartel.com> <AF49F870-0600-47D1-8AC6-EEBFAA5B1C24@Janik.cz>
<565E9EC7.50003@bitcartel.com>
In-Reply-To: <565E9EC7.50003@bitcartel.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 02 Dec 2015 18:46:10 +0000
Subject: Re: [bitcoin-dev] [BIP Draft] Datastream compression of Blocks and
Transactions
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 18:44:57 -0000
If compression is to be used a custom compression algorithm should be
written.
Bitcoin data is largely incompressible outside of a tiny subset of fields.
On 12/01/2015 11:33 PM, Simon Liu via bitcoin-dev wrote:
> Hi Pavel,
>
> (my earlier email was moderated, so the list can only see it via your
> reply),
>
> Yes, an attacker could try and send malicious data to take advantage of
> a compression library vulnerability... but is it that much worse than
> existing attack vectors which might also result in denial of service,
> crashes, remote execution?
>
> Peter, perhaps your BIP can look at possible ways to isolate the
> decompression phase, such as having incoming compressed blocks be saved
> to a quarantine folder and an external process/daemon decompress and
> verify the block's hash?
>
> Regards,
> Simon
>
>
> On 12/01/2015 10:47 PM, Pavel Janík wrote:
>>> On 02 Dec 2015, at 00:44, Simon Liu <simon@bitcartel.com> wrote:
>>>
>>> Hi Matt/Pavel,
>>>
>>> Why is it scary/undesirable? Thanks.
>> Select your preferable compression library and google for it with +CVE.
>>
>> E.g. in zlib:
>>
>> http://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/GNU-Zlib.html
>>
>> …allows remote attackers to cause a denial of service (crash) via a crafted compressed stream…
>> …allows remote attackers to cause a denial of service (application crash)…
>> etc.
>>
>> Do you want to expose such lib to the potential attacker?
>> --
>> Pavel Janík
>>
>>
>>
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|
