diff --git a/openssh-9.9p1-scp-clear-setuid.patch b/openssh-9.9p1-scp-clear-setuid.patch new file mode 100644 index 0000000..1a848a1 --- /dev/null +++ b/openssh-9.9p1-scp-clear-setuid.patch @@ -0,0 +1,15 @@ +diff --color -ruNp a/scp.c b/scp.c +--- a/scp.c 2026-04-07 15:54:11.193730842 +0200 ++++ b/scp.c 2026-04-07 15:55:52.529425481 +0200 +@@ -1705,8 +1705,10 @@ sink(int argc, char **argv, const char * + + setimes = targisdir = 0; + mask = umask(0); +- if (!pflag) ++ if (!pflag) { ++ mask |= 07000; + (void) umask(mask); ++ } + if (argc != 1) { + run_err("ambiguous target"); + exit(1); diff --git a/openssh.spec b/openssh.spec index 50cd49e..39de036 100644 --- a/openssh.spec +++ b/openssh.spec @@ -66,7 +66,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 28 +%global openssh_rel 29 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 @@ -300,6 +300,8 @@ Patch1022: openssh-8.0p1-CVE-2025-26465.patch Patch1023: openssh-8.0p1-reject-cntrl-chars-in-username.patch # upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0 Patch1024: openssh-8.7p1-reject-null-char-in-url-string.patch +# upstream 487e8ac146f7d6616f65c125d5edb210519b833a +Patch1025: openssh-9.9p1-scp-clear-setuid.patch License: BSD Group: Applications/Internet @@ -551,6 +553,7 @@ popd %patch1022 -p2 -b .cve-2025-26465 %patch1023 -p1 -b .reject-cntrl-chars-in-username %patch1024 -p1 -b .reject-null-char-in-url-string +%patch1025 -p1 -b .scp-clear-setuid autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -836,6 +839,11 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Mon Apr 13 2026 Zoltan Fridrich - 8.0p1-29 +- CVE-2026-35385: Fix privilege escalation via scp legacy protocol + when not in preserving file mode + Resolves: RHEL-164743 + * Mon Mar 16 2026 Zoltan Fridrich - 8.0p1-28 - CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex