Bug was found in OpenSSH 6.8 and 6.9. Incorrectly set TTYs to be world-writable allow local attackers to be able to write arbitrary messages to logged-in users, including terminal escape sequences.
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1252862]
openssh-7.0p1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
openssh-6.9p1-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Interesting observation of how to exploit this vulnerability for code execution as the targeted user:
This issue was introduced in the following upstream commit:
That commit intentionally changed TTY permissions for systems without the tty group from S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH (622) to 600, but also unintentionally changed permissions for systems with the tty group from S_IRUSR | S_IWUSR | S_IWGRP (620) to 622.
The openssh versions as shipped Red Hat Enterprise Linux 7 and earlier did not include the above incorrect change and hence were not affected by this issue.
This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 5, 6, and 7.