main/openssh/CVE-2017-15906.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Tue, 4 Apr 2017 00:24:56 +0000
Subject: [PATCH] disallow creation (of empty files) in read-only mode;
 reported by Michal Zalewski, feedback & ok deraadt@

---
 usr.bin/ssh/sftp-server.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sftp-server.c b/sftp-server.c
index 2510d234a3a..42249ebd60d 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -683,8 +683,8 @@ process_open(u_int32_t id)
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
-	    ((flags & O_ACCMODE) == O_WRONLY ||
-	    (flags & O_ACCMODE) == O_RDWR)) {
+	    ((flags & O_ACCMODE) != O_RDONLY ||
+	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
 		verbose("Refusing open request in read-only mode");
 		status = SSH2_FX_PERMISSION_DENIED;
 	} else {