[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: glob resource exhaustion [CVE-2010-2632]
From: |
Paul Eggert |
Subject: |
Re: glob resource exhaustion [CVE-2010-2632] |
Date: |
Wed, 13 Oct 2010 15:49:27 -0700 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8 |
On 10/13/10 15:38, Bruno Haible wrote:
> But why should this be a bug in libc? There are many functions in libc that
> can allocate an arbitrary amount of memory.
I agree that applications should set reasonable memory limits, but
this is still a bug in glob, because glob should not return duplicates.
For example, the pattern {.,.} should match just ".", not two instances
of "." as it does now. Just as the pattern x**y should not generate
multiple occurrences of "xfooy" merely because there are multiple ways
to match "xfooy", the pattern {.,.} should not generate multiple occurrences
of "." merely because there are multiple ways to match ".".
Filtering out duplicates would not fix all possible denial-of-service
attacks, but it will help, and it should be done anyway, because users
don't expect glob to return duplicates.