The ISRG (Internet Security Research Group) organization, which is the founder of the Let's Encrypt project and promotes the development of technologies to increase the security of the Internet, presented the zlib-rs project to create a secure analogue of the zlib data compression library. The zlib-rs code is written in Rust and is distributed under the Zlib license. Development is carried out with an eye on the zlib-ng project, which develops a high-performance version of zlib. The project has developed two libraries: zlib-rs, an implementation of the zlib API that does not use unsafe blocks; libz-rs-sys is an add-on with C API support that contains code in βunsafeβ mode.
The reason for creating zlib-rs is said to be to provide a version of zlib that avoids potential breakdowns caused by memory errors. According to Microsoft and Google, about 70% of vulnerabilities are caused by unsafe memory handling. It is expected that using the Rust language to develop zlib-rs will reduce the risk of vulnerabilities caused by unsafe work with memory, and eliminate the occurrence of errors such as accessing a memory area after it has been freed and overrunning the buffer.
The Zlib library is widely distributed and used as a dependency on many systems, although dangerous vulnerabilities periodically appear in the Zlib code. For example, in 2022, a buffer overflow was discovered in zlib when attempting to compress a specially prepared sequence of characters, which made it possible to exploit the vulnerability through the transmission of specially formatted incoming data.
Source: opennet.ru
