CVE-2017-15906: Avoid improper write operations in readonly mode (#1506630)

openssh-7.5p1-sftp-empty-files.patch

@@ -0,0 +1,35 @@
+From 4d827f0d75a53d3952288ab882efbddea7ffadfe Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 4 Apr 2017 00:24:56 +0000
+Subject: [PATCH] upstream commit
+
+disallow creation (of empty files) in read-only mode;
+reported by Michal Zalewski, feedback & ok deraadt@
+
+Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
+---
+ sftp-server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sftp-server.c b/sftp-server.c
+index 3619cdfc0..df0fb5068 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
+ /*
+  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
+  *
+@@ -691,8 +691,8 @@ process_open(u_int32_t id)
+ 	logit("open \"%s\" flags %s mode 0%o",
+ 	    name, string_from_portable(pflags), mode);
+ 	if (readonly &&
+-	    ((flags & O_ACCMODE) == O_WRONLY ||
+-	    (flags & O_ACCMODE) == O_RDWR)) {
++	    ((flags & O_ACCMODE) != O_RDONLY ||
++	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ 		verbose("Refusing open request in read-only mode");
+ 		status = SSH2_FX_PERMISSION_DENIED;
+ 	} else {
+

openssh.spec

@@ -228,6 +228,8 @@ Patch944: openssh-7.3p1-x11-max-displays.patch
 Patch948: openssh-7.4p1-systemd.patch
 # Fix typo in sandbox code; missing header for s390
 Patch949: openssh-7.5p1-sandbox.patch
+# Avoid creation of zero-length files in readonly mode (#1506631)
+Patch950: openssh-7.5p1-sftp-empty-files.patch
 
 
 License: BSD
@@ -462,6 +464,7 @@ popd
 %patch944 -p1 -b .x11max
 %patch948 -p1 -b .systemd
 %patch949 -p1 -b .sandbox
+%patch950 -p1 -b .sftp-empty
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race