Fix CVE-2026-35385

Fix privilege escalation via scp legacy protocol
when not in preserving file mode

Resolves: RHEL-164740

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

openssh-9.9p1-scp-clear-setuid.patch

@@ -0,0 +1,15 @@
+diff --color -ruNp a/scp.c b/scp.c
+--- a/scp.c	2026-04-07 15:54:11.193730842 +0200
++++ b/scp.c	2026-04-07 15:55:52.529425481 +0200
+@@ -1705,8 +1705,10 @@ sink(int argc, char **argv, const char *
+ 
+ 	setimes = targisdir = 0;
+ 	mask = umask(0);
+-	if (!pflag)
++	if (!pflag) {
++		mask |= 07000;
+ 		(void) umask(mask);
++	}
+ 	if (argc != 1) {
+ 		run_err("ambiguous target");
+ 		exit(1);

openssh.spec

@@ -239,6 +239,8 @@ Patch1037: openssh-9.9p1-first-match-wins.patch
 Patch1038: openssh-9.9p1-maxstartups-mistracking.patch
 # https://github.com/openssh/openssh-portable/pull/649
 Patch1039: openssh-9.9p1-fill-default-options-error.patch
+# upstream 487e8ac146f7d6616f65c125d5edb210519b833a
+Patch1040: openssh-9.9p1-scp-clear-setuid.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -442,6 +444,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1037 -p1 -b .first-match-wins
 %patch -P 1038 -p1 -b .maxstartups-mistracking
 %patch -P 1039 -p1 -b .fill-default-options-error
+%patch -P 1040 -p1 -b .scp-clear-setuid
 
 %patch -P 100 -p1 -b .coverity
 
@@ -727,6 +730,9 @@ test -f %{sysconfig_anaconda} && \
   Resolves: RHEL-163365
 - Ssh should refuse connection when mlkem kex is specified in FIPS
   Resolves: RHEL-155178
+- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
+  when not in preserving file mode
+  Resolves: RHEL-164740
 
 * Fri Mar 27 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-24
 - Fix typo in SPDX license name