CVE-2026-35385: scp leaves setuid/setgid/sticky bits in dest mode

When -p (preserve) is not given, scp computes the destination mode from
the saved umask but did not strip the setuid/setgid/sticky bits, so a
malicious source side could land files at the destination with those
bits set.

Pulled from upstream openssh src/usr.bin/ssh/scp.c r1.273
(OpenBSD-Commit djm@openbsd.org, 2026-04-02).

Index: openssh-10.0p1/scp.c
===================================================================
--- openssh-10.0p1.orig/scp.c
+++ openssh-10.0p1/scp.c
@@ -1685,8 +1685,10 @@ sink(int argc, char **argv, const char *
 
 	setimes = targisdir = 0;
 	mask = umask(0);
-	if (!pflag)
+	if (!pflag) {
+		mask |= 07000;
 		(void) umask(mask);
+	}
 	if (argc != 1) {
 		run_err("ambiguous target");
 		exit(1);