CVE-2017-15906: Avoid improper write operations in readonly mode (#1506630)

This commit is contained in:
Jakub Jelen 2017-11-22 12:57:06 +01:00
parent 2ea24bb006
commit 34d579d950
2 changed files with 38 additions and 0 deletions

View File

@ -0,0 +1,35 @@
From 4d827f0d75a53d3952288ab882efbddea7ffadfe Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 4 Apr 2017 00:24:56 +0000
Subject: [PATCH] upstream commit
disallow creation (of empty files) in read-only mode;
reported by Michal Zalewski, feedback & ok deraadt@
Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
---
sftp-server.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sftp-server.c b/sftp-server.c
index 3619cdfc0..df0fb5068 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@@ -691,8 +691,8 @@ process_open(u_int32_t id)
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
- ((flags & O_ACCMODE) == O_WRONLY ||
- (flags & O_ACCMODE) == O_RDWR)) {
+ ((flags & O_ACCMODE) != O_RDONLY ||
+ (flags & (O_CREAT|O_TRUNC)) != 0)) {
verbose("Refusing open request in read-only mode");
status = SSH2_FX_PERMISSION_DENIED;
} else {

View File

@ -228,6 +228,8 @@ Patch944: openssh-7.3p1-x11-max-displays.patch
Patch948: openssh-7.4p1-systemd.patch
# Fix typo in sandbox code; missing header for s390
Patch949: openssh-7.5p1-sandbox.patch
# Avoid creation of zero-length files in readonly mode (#1506631)
Patch950: openssh-7.5p1-sftp-empty-files.patch
License: BSD
@ -462,6 +464,7 @@ popd
%patch944 -p1 -b .x11max
%patch948 -p1 -b .systemd
%patch949 -p1 -b .sandbox
%patch950 -p1 -b .sftp-empty
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race