The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
{ "vanir_signatures": [ { "id": "CVE-2017-15906-09c3b956", "signature_type": "Function", "digest": { "function_hash": "245508202350905329393278082937121320963", "length": 1097.0 }, "target": { "file": "usr.bin/ssh/sftp-server.c", "function": "process_open" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19" }, { "id": "CVE-2017-15906-360f872e", "signature_type": "Line", "digest": { "line_hashes": [ "79029947967818200721355068208786597809", "77853498154400323396518088625010115415", "268877291144902812295503531205744277960", "280892792703464745601877662259899291724", "283502225313182026327669295555407248695" ], "threshold": 0.9 }, "target": { "file": "servconf.h" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/openssh/openssh-portable/commit/66bf74a92131b7effe49fb0eefe5225151869dc5" }, { "id": "CVE-2017-15906-37a449e1", "signature_type": "Line", "digest": { "line_hashes": [ "73451354983332106238004573019954184765", "115047829827750025844972100937310889789", "225154063895468876819726826952558484895", "228425264224619864482417641601121868070", "128057601860705487882805129516859362391", "140618039411384439181225380759627597025" ], "threshold": 0.9 }, "target": { "file": "usr.bin/ssh/sftp-server.c" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19" }, { "id": "CVE-2017-15906-61f5ac93", "signature_type": "Line", "digest": { "line_hashes": [ "311485281856427141192081750490489962261", "20931721351770823892963951840738827003", "80987361099183754224328866329143632972", "258874072705965473424444661351981976079", "196434860077555402256406014269679425315", "9307661487544646414396110207111741407", "43704091906660878372593406058490428367", "221055566254099029738270213230424269474" ], "threshold": 0.9 }, "target": { "file": "monitor.c" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/openssh/openssh-portable/commit/66bf74a92131b7effe49fb0eefe5225151869dc5" }, { "id": "CVE-2017-15906-9bf8851e", "signature_type": "Line", "digest": { "line_hashes": [ "186023089215617829128658093752918424562", "277728783570913075901280264746461193166", "271805213036176209986841484488758315621", "149799233050313836625691637518151346167", "237230542325546270649432656318064392907", "249682326877442407827138571995558370246", "308074672074757758578285663153194373492", "52369010191972798770980000799777133712", "176867238064493190420783257875476003269" ], "threshold": 0.9 }, "target": { "file": "servconf.c" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/openssh/openssh-portable/commit/66bf74a92131b7effe49fb0eefe5225151869dc5" }, { "id": "CVE-2017-15906-ab667834", "signature_type": "Line", "digest": { "line_hashes": [ "123299733082017567328061069905839651551", "275526744511639397224161220911049167047", "300188845767632654615938292445397191443", "132807140414766101206872787469164074875", "196434860077555402256406014269679425315", "222817316289057585556516792964365074219", "35318005652860758439782592685762608767", "335420158061575882367860763070171613617" ], "threshold": 0.9 }, "target": { "file": "monitor_wrap.c" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/openssh/openssh-portable/commit/66bf74a92131b7effe49fb0eefe5225151869dc5" } ] }