[langsec-discuss] delimited base64 file specification

Felix 'FX' Lindner fx at recurity-labs.com
Wed Mar 20 15:12:42 UTC 2013


Hi,

On Wed, 20 Mar 2013 08:17:58 -0600 Michael Ossmann <mike at ossmann.com>
wrote:
> On Wed, Mar 20, 2013 at 09:02:28AM +0000, lee hughes wrote:
> >
> > However if base64 is contains a zip or other archive format, then
> > the underlying zip would carry some of this information. :-)
> 
> That is a good suggestion.  Even ignoring benefits like integrity
> checking that many archive formats provide, it makes sense to compress
> delimited base64 files since they have been expanded by the encoding.

please don't.

It's hard enough to get one thing right. And by the way, wouldn't the
compressed data form another language?

Anyway, my argument against that is more practical and experience based
in nature:
OSVDB ID: 29005 gzip unlzh.c make_table() Function Stack Modification
Code Execution 
OSVDB ID: 29006 gzip unpack.c build_tree() Function Overflow
OSVDB ID: 29004 gzip Unspecified NULL Dereference DoS 
OSVDB ID: 29008 gzip unlzh.c huft_build() Function Infinite Loop DoS 
OSVDB ID: 29007 gzip LZH Support make_table() Function Overflow 

The cost of bandwidth and storage decreases constantly, so why bother
with the past when designing for the future?

cheers
FX

-- 
Recurity Labs GmbH           | Felix 'FX' Lindner 
http://www.recurity-labs.com | fx at recurity-labs.com 
Wrangelstrasse 4             | Fon: +49 30 69539993-0
10997 Berlin                 | PGP: A740 DE51 9891 19DF 0D05  
Germany                      |      13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner


More information about the langsec-discuss mailing list