On Thu, Mar 15, 2001 at 09:49:55AM +0100, Frank DENIS (Jedi/Sector One) wrote:
> 
>   Hello, and sorry if this isn't the right list to post this.
>   
>   I'm not a NetBSD user, however, I just noticed something strange on the
> ftp.netbsd.org FTP server :
> 
> ftp ftp.netbsd.org
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp>  ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
> 229 Entering Extended Passive Mode (|||62254|)
> 200 EPRT command successful.
> 
>   Then, the connection freezes for a while and the client aborts with :
>   
> 421 Service not available, remote server timed out. Connection closed
>   
>   I guess the command takes a lot of CPU time, and a possible DOS can follow.
>   
>   Please apologize if this is a known bug, but I have no NetBSD system to
> check if this is a real issue or if I'm mistaken.

This has been fixed in NetBSD-current (by fixing glob(3) to limit the
number of expansions if GLOB_LIMIT is given).

By the way, as other people mentioned on bugtraq, giving a vendor more
than 15 minutes notice of a bug before announcing it on bugtraq is
usually the polite thing to do.