Re: Zlib vulnerability heads-up.

John Gray <jgray@azuli.co.uk>

From: John Gray <jgray@azuli.co.uk>
To: Lamar Owen <lamar.owen@wgcr.org>
Cc: pgsql-hackers@postgresql.org
Date: 2002-03-12T17:18:35Z
Lists: pgsql-hackers, pgsql-general
On Tue, 2002-03-12 at 16:05, Lamar Owen wrote:
> As PostgreSQL uses the zlib library (for TOAST?), this is a headsup that a 
> bug has been found in the zlib library that could  cause data corruption or a 
> security breach.
> 

True enough, ldd on my system says that postgres is linked against zlib,
but I knew that TOAST didn't use it (it uses
src/backend/utils/adt/pg_lzcompress.c), so what does?

After a quick look, I offer the following summary:

"zlib" is listed as a loadable module in PL/Python (but I don't know
whether this is related to the same zlib at all)
 
zlib.h *is* used by the "custom" format of pg_dump.

Maybe I'm missing something, though - I just did a grep for "zlib" and
HAVE_LIBZ through the source. 

This also suggests that the postgres backend needn't be linked against
zlib at all, if pg_dump is the only utility using it. 

The risk from this vulnerability is that someone receiving a dump in
custom format and using pg_restore on it might be at risk of a trojan
attack - but this seems like a very slim risk (how many people would
attempt to load a data dump from an untrusted source into their DB?).

Nonetheless, it's useful to know this (and it also means I've spotted
the (possibly) unnecessary library link :)

Regards

John