The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. Upstream patch: https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19 References: https://www.openssh.com/txt/release-7.6
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1506631]
Analysis: It seems the maximum impact of this flaw is that the attacker can create an extremely large number of zero length files to fill up a harddisk on a remote server which the attacker has read-only access to.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0980 https://access.redhat.com/errata/RHSA-2018:0980