1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00

openssh: patch CVE-2026-35385

Backport patch from [1] matching CVE description in [2] and change described
in release note [3].

[1] https://github.com/openssh/openssh-portable/commit/487e8ac146f7d6616f65c125d5edb210519b833a

[2] https://security-tracker.debian.org/tracker/CVE-2026-35385

[3] https://www.openssh.org/releasenotes.html#10.3p1

(From OE-Core rev: 8a5742fdc3d60e8ab0da2e1f1401995105b742b9)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Theo Gaige (Schneider Electric)
2026-05-20 10:29:30 +02:00
committed by Paul Barker
parent 8457a5d3d9
commit e0f9a13f5f
2 changed files with 48 additions and 0 deletions
@@ -0,0 +1,47 @@
From 9df287221ad61f6b05b3e80bc57bdaacfa5ab243 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 2 Apr 2026 07:42:16 +0000
Subject: [PATCH] upstream: when downloading files as root in legacy (-O) mode
and
without the -p (preserve modes) flag set, clear setuid/setgid bits from
downloaded files as one might expect.
AFAIK this bug dates back to the original Berkeley rcp program.
Reported by Christos Papakonstantinou of Cantina and Spearbit.
OpenBSD-Commit-ID: 49e902fca8dd933a92a9b547ab31f63e86729fa1
CVE: CVE-2026-35385
Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/487e8ac146f7d6616f65c125d5edb210519b833a]
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
scp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/scp.c b/scp.c
index 492dace12..2c21fa19a 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.260 2023/10/11 05:42:08 djm Exp $ */
+/* $OpenBSD: scp.c,v 1.273 2026/04/02 07:42:16 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -1682,8 +1682,10 @@ sink(int argc, char **argv, const char *src)
setimes = targisdir = 0;
mask = umask(0);
- if (!pflag)
+ if (!pflag) {
+ mask |= 07000;
(void) umask(mask);
+ }
if (argc != 1) {
run_err("ambiguous target");
exit(1);
--
2.43.0
@@ -34,6 +34,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://CVE-2025-32728.patch \
file://CVE-2025-61985.patch \
file://CVE-2025-61984.patch \
file://CVE-2026-35385.patch \
"
SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"