If everyone has the same parser the whole classes of bugs just stop being exploitable. The classic one being one parser at the edge validates somethhing and the further down the line sees another result which it expects tp be rejected during validation.

Both parsers could be buggy, but when they have different kinds of bugs, you get a zero click undetectable exploit

▲

woodruffw 3 days ago | parent | next [-]

I don’t think it’s this simple: you can still produce observable differentials with a single parser by using different options within that parser in different places. The ZIP format itself affords ample opportunities for that.

▲

hinkley 2 days ago | parent [-]

The settings are at encode time. For two readers the results should be unambiguous.

▲

woodruffw 2 days ago | parent [-]

There are plenty of decode-time knobs, even within a single ZIP parser. Here are just a few you could set while using libzip[1].

[1]: https://libzip.org/documentation/zip_open.html#DESCRIPTION

▲

hinkley 2 days ago | parent [-]

That’s not a lot of settings, and that’s libzib, which is not zlib.

	▲	woodruffw 2 days ago \| parent [-]
		Differentials are oracular; you only need one bit. And I’m not claiming it’s in zlib, since zlib isn’t a ZIP library. TFA here is about ZIP differentials, not differentials in DEFLATE stream parsers.

▲

aaviator42 3 days ago | parent | prev [-]

It significantly increases the attack surfaces of bugs that do exist in the parser if the same implementation is used everywhere.