Why verify zlib?

Pascal Cuoq - 14th Jan 2013

As an interlude in the zlib verification thread, this post asks two questions. Is there any chance of finding a bug in zlib, and does it matter?

Could there be a bug in zlib?

It is not entirely impossible. The previous post in this blog pointed to a relatively minor issue in the zlib source code, and the next post will show a more serious (albeit still minor) one.

In July of 2005, a buffer overflow in zlib was found by Tavis Ormandy. Key quote: “An attacker could construct a malformed data stream embedding it within network communication or an application file format potentially resulting in the execution of arbitrary code when decoded by the application using the zlib library.”

If you have been following the zlib thread this is exactly the context we are investigating: decompression of a maliciously crafted stream.

Does it matter?

In 2005 people did think it mattered. The CVE summary points out that zlib is involved when decompressing a PNG image (most users think of PNG images as innocuous objects that they should be allowed to look at regardless of origin without compromising the host computer). Other examples are the “Windows binary of Virtual Floppy Drive 2.1” and “Official Windows binaries of curl”. I do not think that list is exhaustive. Does the HTTP/1.1 protocol not allow for zlib-compressed data to be exchanged between client and server? A malicious client could cause a buffer overflow on the server with a simple request and/or a malicious server could cause a buffer overflow in the client by replying to a request with specially crafted pretend-compressed data.

And a benchmark for the future

I am making a deliberate effort not to look at that bug now but it goes without saying that when the verification of zlib is done I will check that the same method find the bug that was in the pre-July-2005 version.

Pascal Cuoq
14th Jan 2013