[illumos-Developer] Webrev for bug 1102: Resource exhaustion in sftp client
Albert Lee
trisk at opensolaris.org
Thu Jun 23 13:03:18 PDT 2011
On Thu, Jun 23, 2011 at 3:50 PM, Bayard Bell
<buffer.g.overflow at googlemail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 23 Jun 2011, at 20:42, Gary Mills wrote:
>
>> On Thu, Jun 23, 2011 at 12:46:10PM -0500, Gary Mills wrote:
>>> On Tue, Jun 14, 2011 at 10:27:40AM -0400, Gordon Ross wrote:
>>>> On Tue, Jun 14, 2011 at 8:25 AM, Gary Mills <mills at cc.umanitoba.ca> wrote:
>>>>> On Fri, Jun 10, 2011 at 10:05:25AM -0500, Gary Mills wrote:
>>>>>> This is for illumos bug 1102: Resource exhaustion in sftp client.
>>>>>> It's essentially the netbsd patches applied to the private glob
>>>>>> library used by sftp. This is not a security vulnerability as it's on
>>>>>> the client side only. Nevertheless, the BSD variants have been
>>>>>> patched to prevent resource exhaustion.
>> [...]
>>> I'll see if I can submit the patches upstream.
>>
>> According to the changelog for portable openssh, they're already
>> there:
>>
>> 20110112
>> - OpenBSD CVS Sync
>> - nicm at cvs.openbsd.org 2010/10/08 21:48:42
>> [openbsd-compat/glob.c]
>> Extend GLOB_LIMIT to cover readdir and stat and bump the malloc limit
>> from ARG_MAX to 64K.
>> Fixes glob-using programs (notably ftp) able to be triggered to hit
>> resource limits.
>> Idea from a similar NetBSD change, original problem reported by jasper at .
>> ok millert tedu jasper
>>
>> So, once the ssh product is updated from upstream, their resource
>> limit fixes will be present.
>
> There isn't any simple pull from upstream for ssh, as SUNWssh is a somewhat different creature than openssh-portable.
Trying to sync with openssh-portable will be a much larger endeavour
than the scope of this issue. I'm happy with Gary's additional info,
are there any remaining concerns?
-Albert
More information about the Developer
mailing list