[illumos-Developer] Webrev for bug 1102: Resource exhaustion in sftp client

Bayard Bell buffer.g.overflow at googlemail.com
Thu Jun 23 12:50:18 PDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 23 Jun 2011, at 20:42, Gary Mills wrote:

> On Thu, Jun 23, 2011 at 12:46:10PM -0500, Gary Mills wrote:
>> On Tue, Jun 14, 2011 at 10:27:40AM -0400, Gordon Ross wrote:
>>> On Tue, Jun 14, 2011 at 8:25 AM, Gary Mills <mills at cc.umanitoba.ca> wrote:
>>>> On Fri, Jun 10, 2011 at 10:05:25AM -0500, Gary Mills wrote:
>>>>> This is for illumos bug 1102: Resource exhaustion in sftp client.
>>>>> It's essentially the netbsd patches applied to the private glob
>>>>> library used by sftp.  This is not a security vulnerability as it's on
>>>>> the client side only.  Nevertheless, the BSD variants have been
>>>>> patched to prevent resource exhaustion.
> [...]
>> I'll see if I can submit the patches upstream.
> 
> According to the changelog for portable openssh, they're already
> there:
> 
> 20110112
>  - OpenBSD CVS Sync
>    - nicm at cvs.openbsd.org 2010/10/08 21:48:42
>      [openbsd-compat/glob.c]
>      Extend GLOB_LIMIT to cover readdir and stat and bump the malloc limit
>      from ARG_MAX to 64K.
>      Fixes glob-using programs (notably ftp) able to be triggered to hit
>      resource limits.
>      Idea from a similar NetBSD change, original problem reported by jasper at .
>      ok millert tedu jasper
> 
> So, once the ssh product is updated from upstream, their resource
> limit fixes will be present.

There isn't any simple pull from upstream for ssh, as SUNWssh is a somewhat different creature than openssh-portable.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.12 (Darwin)

iQIcBAEBAgAGBQJOA5kQAAoJEHm5cBpJ87doacsP/A0AGw5HwXlUYpmuP5LM4fyu
ap+3syEGxo9qeIORAqZM+Yy/WWlo5DMjJ3o5JItRwYYXmRrDfTMjiKZfxi5JRoi4
voJzYVut5s14FG+TxTdVoUIr50+DO4Acd9RugUBCrsldk07K2TLw/jYTQKWRD6yF
tpkBUDl0NXLaBCAjAnOwYg2W4Whem7QYG2ZJGctJSg6XurIAHyJSqFnoAfeTDMTp
X0HiOwTXX8Z9/COFWoC2rZ1D8ui4qIAwgQn0gwlU8kxiwk6xpcj7Xjr+q3+4IS3R
MYR+JJlgpBms3vWKevDN+vT8GACIHRe7smiYonXlPqa1nhqWzhbOKqMYi+2Av1xF
jR5YZSq82wuw3WvDI5aZNgTuZrLT0JPhsl+dldLhWVO1ZTG0jD55gSRjzbZ/oWZF
xuFv3zbY+poNDq55eKyyQZ+5H2gcYrrz1XY1GsA1a+vi9GrgOvSu/mPG+ZzeNsig
3RIK/9uTc4h7qHWRlv4GNvu4PaUntzRb78BdVlfRpXTVYkcI+ScQn5r6b4uBNu5A
eOjYcqcUbYb5hGX4Rze3Wth8pTLW6abATHbf8JU09y2ZlK9pgEUGSngiMTarY6U0
68Ln+ubFemqfGA1GaVki3fwXZdj1cVLJLvdYm9M0UPf0TIM5L2WPzScwPu10vXVO
u2rbdYY7Zyv9F2hcYtjL
=QstQ
-----END PGP SIGNATURE-----



More information about the Developer mailing list