# HG changeset patch
# Parent  70f144cf46b999eed1eebda70cb27cadc4e49b82
Stricter checking for write actions in read-only mode in the stfp server
CVE-2017-15906
bsc#1065000

backoported upstream commit 4d827f0d75a53d3952288ab882efbddea7ffadfe

diff --git a/openssh-7.2p2/sftp-server.c b/openssh-7.2p2/sftp-server.c
--- a/openssh-7.2p2/sftp-server.c
+++ b/openssh-7.2p2/sftp-server.c
@@ -700,18 +700,18 @@ process_open(u_int32_t id)
 	mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
 	if (permforce == 1) {
 		mode = permforcemode;
 		(void)umask(0); /* so umask does not interfere */
 	}
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
-	    ((flags & O_ACCMODE) == O_WRONLY ||
-	    (flags & O_ACCMODE) == O_RDWR)) {
+	    ((flags & O_ACCMODE) != O_RDONLY ||
+	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
 		verbose("Refusing open request in read-only mode");
 		status = SSH2_FX_PERMISSION_DENIED;
 	} else {
 		fd = open(name, flags, mode);
 		if (fd < 0) {
 			status = errno_to_portable(errno);
 		} else {
 			handle = handle_new(HANDLE_FILE, name, fd, flags, NULL);