thr3ads.net - openssh unix dev - sftp-server read only permitting zero-length files to be created query [Oct 2017]

If this information is useful, please help other people find it:
Share via:

Chris High

2017-Oct-04 14:51 UTC

sftp-server read only permitting zero-length files to be created query

OpenSSH team,

The document:  http://www.openssh.com/txt/release-7.6
indicates:
   Security
   - --------

    * sftp-server(8): in read-only mode, sftp-server was incorrectly
      permitting creation of zero-length files. Reported by Michal
      Zalewski.

But when I look here:  https://www.openssh.com/security.html
I don't see this item listed.  At what version was this security problem
introduced?  Or is this applicable to all versions older than 7.6?

Thanks -
  Chris

Damien Miller

2017-Oct-04 17:54 UTC

head link

sftp-server read only permitting zero-length files to be created query

On Wed, 4 Oct 2017, Chris High wrote:
> 
> OpenSSH team,
> 
> The document:  http://www.openssh.com/txt/release-7.6
> indicates:
>    Security
>    - --------
> 
>     * sftp-server(8): in read-only mode, sftp-server was incorrectly
>       permitting creation of zero-length files. Reported by Michal
>       Zalewski.
> 
> But when I look here:  https://www.openssh.com/security.html
> I don't see this item listed.
I've just committed the security.html updated
> At what version was this security problem
> introduced?  Or is this applicable to all versions older than 7.6?
All versions that support the read-only mode, so 5.5 onwards

openssh unix dev - Oct 2017 - sftp-server read only permitting zero-length files to be created query

sftp-server read only permitting zero-length files to be created query

sftp-server read only permitting zero-length files to be created query