Re: Zlib vulnerability heads-up.

On Tue, 2002-03-12 at 16:05, Lamar Owen wrote:
> As PostgreSQL uses the zlib library (for TOAST?), this is a headsup that a
> bug has been found in the zlib library that could cause data corruption or a
> security breach.
>

True enough, ldd on my system says that postgres is linked against zlib,
but I knew that TOAST didn't use it (it uses
src/backend/utils/adt/pg_lzcompress.c), so what does?

After a quick look, I offer the following summary:

"zlib" is listed as a loadable module in PL/Python (but I don't know
whether this is related to the same zlib at all)

zlib.h *is* used by the "custom" format of pg_dump.

Maybe I'm missing something, though - I just did a grep for "zlib" and
HAVE_LIBZ through the source.

This also suggests that the postgres backend needn't be linked against
zlib at all, if pg_dump is the only utility using it.

The risk from this vulnerability is that someone receiving a dump in
custom format and using pg_restore on it might be at risk of a trojan
attack - but this seems like a very slim risk (how many people would
attempt to load a data dump from an untrusted source into their DB?).

Nonetheless, it's useful to know this (and it also means I've spotted
the (possibly) unnecessary library link :)

Regards

John