fix: Clear setuid/setgid bits when downloading files via scp (CVE-2026-35385)

[deepin-ci-robot]

CVE-2026-35385 Fix

Vulnerability

When downloading files as root in legacy (-O) mode and without the -p (preserve modes) flag set, scp did not clear setuid/setgid bits from downloaded files as one might typically expect. This bug dates back to the original Berkeley rcp program.

Fix

Backport upstream commit 487e8ac which adds mask |= 07000 to clear setuid/setgid/sticky bits when not preserving modes.

Changes

• debian/patches/0038-upstream-Clear-setuid-setgid-bits-when-downloading-.patch: New patch
• debian/patches/series: Add new patch
• debian/changelog: Bump to 1:9.9p2-0deepin7

References

• CVE: CVE-2026-35385
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35385
• Upstream advisory: https://www.openssh.org/releasenotes.html#10.3p1
• Upstream commit: openssh/openssh-portable@487e8ac

[github-actions]

TAG Bot

TAG: 1%9.9p2-0deepin7
EXISTED: no
DISTRIBUTION: unstable

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yukarichiba for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• https:/raw.githubusercontent.com/deepin-community/template-repository/master/debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-ci-robot]

/hold
因为该quilt包的上游版本号变更，详情见: deepin-community/infra-settings#134

[Zeno-sole]

/integrate

[github-actions]

AutoIntegrationPr Bot
auto integrate with pr url: deepin-community/Repository-Integration#4062
PrNumber: 4062
PrBranch: auto-integration-26216164277

[hudeng-go]

/integrate