I use a proprietary virus scanner that I higly suspect to statically use zlib 1.1.3 (according to find-zlib.pl). The vendor tells me 'he thinks' it is not vulnerable but i want to be sure by myself (and to force him to release a version compiled with zlib 1.1.4). I tried to create an evil gz file by using a standard gz header, followed by random data and test it against minigzip (included in zlib sources). Surprisingly, it is very easy to create a file that crash zlib : ( cat *.c | gzip -9 | dd bs=1 count=80 ; dd if=/dev/urandom bs=1 count=100 ) | ./minigzip -d Segmentation fault With count=80, it's only a few tries. I also try this with zlib 1.1.4 and (hopefuly) only got ./minigzip: failed gzclose Once i got an evil gz file, i tried my closed-source virus scanner but i have not been able to crash it. Is there any reason that my scanner does not crash if it uses zlib-1.1.3 ? Does someone already try (and succeed) to crash a program this way instead of trying to detect zlib in the binary ? Thanks, -- Mathieu Lafon
This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 16:11:01 PST