Version in base suite: 2.6-3

Base version: inetutils_2.6-3
Target version: inetutils_2.6-3+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/inetutils/inetutils_2.6-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/i/inetutils/inetutils_2.6-3+deb13u1.dsc

 changelog                                                            |    9 +
 patches/series                                                       |    3 
 patches/upstream/0001-Fix-injection-bug-with-bogus-user-names.patch  |   37 ++++
 patches/upstream/0002-telnetd-Sanitize-all-variable-expansions.patch |   81 ++++++++++
 4 files changed, 130 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphgk3w1m_/inetutils_2.6-3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphgk3w1m_/inetutils_2.6-3+deb13u1.dsc: no acceptable signature found
diff -Nru inetutils-2.6/debian/changelog inetutils-2.6/debian/changelog
--- inetutils-2.6/debian/changelog	2025-06-22 14:59:29.000000000 +0000
+++ inetutils-2.6/debian/changelog	2026-01-21 16:37:32.000000000 +0000
@@ -1,3 +1,12 @@
+inetutils (2:2.6-3+deb13u1) trixie-security; urgency=high
+
+  * Fix remote authentication bypass in telnetd.
+    GNU InetUtils Security Advisory:
+    <https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html>
+    Fixes CVE-2026-24061. (Closes: #1126047)
+
+ -- Guillem Jover <guillem@debian.org>  Wed, 21 Jan 2026 17:37:32 +0100
+
 inetutils (2:2.6-3) unstable; urgency=medium
 
   * Make libsystemd-dev support linux-any specific.
diff -Nru inetutils-2.6/debian/patches/series inetutils-2.6/debian/patches/series
--- inetutils-2.6/debian/patches/series	2025-06-20 01:34:11.000000000 +0000
+++ inetutils-2.6/debian/patches/series	2026-01-21 16:37:32.000000000 +0000
@@ -1,3 +1,6 @@
+# Upstream patches
+upstream/0001-Fix-injection-bug-with-bogus-user-names.patch
+upstream/0002-telnetd-Sanitize-all-variable-expansions.patch
 # Local patches
 local/0001-build-Disable-GFDL-info-files-and-useless-man-pages.patch
 local/0002-build-Use-runstatedir-for-run-directory.patch
diff -Nru inetutils-2.6/debian/patches/upstream/0001-Fix-injection-bug-with-bogus-user-names.patch inetutils-2.6/debian/patches/upstream/0001-Fix-injection-bug-with-bogus-user-names.patch
--- inetutils-2.6/debian/patches/upstream/0001-Fix-injection-bug-with-bogus-user-names.patch	1970-01-01 00:00:00.000000000 +0000
+++ inetutils-2.6/debian/patches/upstream/0001-Fix-injection-bug-with-bogus-user-names.patch	2026-01-21 16:37:32.000000000 +0000
@@ -0,0 +1,37 @@
+From d47ef23dbdc1fd45c1c989e5bf88911328daa3b2 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Tue, 20 Jan 2026 01:10:36 -0800
+Subject: [PATCH 1/2] Fix injection bug with bogus user names
+
+Problem reported by Kyu Neushwaistein.
+* telnetd/utility.c (_var_short_name):
+Ignore user names that start with '-' or contain shell metacharacters.
+
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+---
+ telnetd/utility.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index 534d683a..4a56622d 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -1733,7 +1733,14 @@ _var_short_name (struct line_expander *exp)
+       return user_name ? xstrdup (user_name) : NULL;
+ 
+     case 'U':
+-      return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
++      {
++	/* Ignore user names starting with '-' or containing shell
++	   metachars, as they can cause trouble.  */
++	char const *u = getenv ("USER");
++	return xstrdup ((u && *u != '-'
++			 && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
++			? u : "");
++      }
+ 
+     default:
+       exp->state = EXP_STATE_ERROR;
+-- 
+2.51.0
+
diff -Nru inetutils-2.6/debian/patches/upstream/0002-telnetd-Sanitize-all-variable-expansions.patch inetutils-2.6/debian/patches/upstream/0002-telnetd-Sanitize-all-variable-expansions.patch
--- inetutils-2.6/debian/patches/upstream/0002-telnetd-Sanitize-all-variable-expansions.patch	1970-01-01 00:00:00.000000000 +0000
+++ inetutils-2.6/debian/patches/upstream/0002-telnetd-Sanitize-all-variable-expansions.patch	2026-01-21 16:37:32.000000000 +0000
@@ -0,0 +1,81 @@
+From ab2e0b1f37c0c011b2cf7d0fd5687b30631a1921 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Tue, 20 Jan 2026 14:02:39 +0100
+Subject: [PATCH 2/2] telnetd: Sanitize all variable expansions
+
+* telnetd/utility.c (sanitize): New function.
+(_var_short_name): Use it for all variables.
+---
+ telnetd/utility.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index 4a56622d..1e7adb08 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -1684,6 +1684,17 @@ static void _expand_cond (struct line_expander *exp);
+ static void _skip_block (struct line_expander *exp);
+ static void _expand_block (struct line_expander *exp);
+ 
++static char *
++sanitize (const char *u)
++{
++  /* Ignore values starting with '-' or containing shell metachars, as
++     they can cause trouble.  */
++  if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
++    return u;
++  else
++    return "";
++}
++
+ /* Expand a variable referenced by its short one-symbol name.
+    Input: exp->cp points to the variable name.
+    FIXME: not implemented */
+@@ -1710,13 +1721,13 @@ _var_short_name (struct line_expander *exp)
+       return xstrdup (timebuf);
+ 
+     case 'h':
+-      return xstrdup (remote_hostname);
++      return xstrdup (sanitize (remote_hostname));
+ 
+     case 'l':
+-      return xstrdup (local_hostname);
++      return xstrdup (sanitize (local_hostname));
+ 
+     case 'L':
+-      return xstrdup (line);
++      return xstrdup (sanitize (line));
+ 
+     case 't':
+       q = strchr (line + 1, '/');
+@@ -1724,23 +1735,16 @@ _var_short_name (struct line_expander *exp)
+ 	q++;
+       else
+ 	q = line;
+-      return xstrdup (q);
++      return xstrdup (sanitize (q));
+ 
+     case 'T':
+-      return terminaltype ? xstrdup (terminaltype) : NULL;
++      return terminaltype ? xstrdup (sanitize (terminaltype)) : NULL;
+ 
+     case 'u':
+-      return user_name ? xstrdup (user_name) : NULL;
++      return user_name ? xstrdup (sanitize (user_name)) : NULL;
+ 
+     case 'U':
+-      {
+-	/* Ignore user names starting with '-' or containing shell
+-	   metachars, as they can cause trouble.  */
+-	char const *u = getenv ("USER");
+-	return xstrdup ((u && *u != '-'
+-			 && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
+-			? u : "");
+-      }
++      return xstrdup (sanitize (getenv ("USER")));
+ 
+     default:
+       exp->state = EXP_STATE_ERROR;
+-- 
+2.51.0
+