Fix CVE-2026-35385

Fix privilege escalation via scp legacy protocol when not in preserving file mode Resolves: RHEL-164754 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2026-04-08 15:55:24 +02:00 · 2026-04-08 15:55:24 +02:00 · fe1ca1cded
commit fe1ca1cded
parent a3754bfa18
2 changed files with 21 additions and 0 deletions
--- a/openssh-9.9p1-scp-clear-setuid.patch
+++ b/openssh-9.9p1-scp-clear-setuid.patch
@ -0,0 +1,15 @@
+diff --color -ruNp a/scp.c b/scp.c
+--- a/scp.c	2026-04-07 15:54:11.193730842 +0200
+++ b/scp.c	2026-04-07 15:55:52.529425481 +0200
+@@ -1705,8 +1705,10 @@ sink(int argc, char **argv, const char *
+ 
+ 	setimes = targisdir = 0;
+ 	mask = umask(0);
+-	if (!pflag)
+	if (!pflag) {
+		mask |= 07000;
+ 		(void) umask(mask);
+	}
+ 	if (argc != 1) {
+ 		run_err("ambiguous target");
+ 		exit(1);
--- a/openssh.spec
+++ b/openssh.spec
@ -249,6 +249,8 @@ Patch1038: openssh-9.9p1-reject-null-char-in-url-string.patch
 Patch1039: openssh-9.9p1-compat-mlkem.patch
 # https://github.com/openssh/openssh-portable/pull/649
 Patch1040: openssh-9.9p1-fill-default-options-error.patch
+# upstream 487e8ac146f7d6616f65c125d5edb210519b833a
+Patch1041: openssh-9.9p1-scp-clear-setuid.patch

 License: BSD
 Requires: /sbin/nologin
@ -463,6 +465,7 @@ popd
 %patch1038 -p1 -b .reject-null-char-in-url-string
 %patch1039 -p1 -b .skip-mlkem-when-na
 %patch1040 -p1 -b .fill-default-options-error
+%patch1041 -p1 -b .scp-clear-setuid

 %patch100 -p1 -b .coverity

@ -758,6 +761,9 @@ test -f %{sysconfig_anaconda} && \
  Resolves: RHEL-163366
 - Ssh should refuse connection when mlkem kex is specified in FIPS
  Resolves: RHEL-155161
+- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
+  when not in preserving file mode
+  Resolves: RHEL-164754

 * Thu Mar 26 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-7 + 0.10.4-9
 - Version bump