Version in base suite: 2.6-3
Version in overlay suite: 2.6-3+deb13u1

Base version: inetutils_2.6-3+deb13u1
Target version: inetutils_2.6-3+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/inetutils/inetutils_2.6-3+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/i/inetutils/inetutils_2.6-3+deb13u2.dsc

 changelog                                                                   |    9 +
 patches/series                                                              |    1 
 patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch |   54 ++++++++++
 3 files changed, 64 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpwzbrmvbh/inetutils_2.6-3+deb13u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpwzbrmvbh/inetutils_2.6-3+deb13u2.dsc: no acceptable signature found
diff -Nru inetutils-2.6/debian/changelog inetutils-2.6/debian/changelog
--- inetutils-2.6/debian/changelog	2026-01-21 16:37:32.000000000 +0000
+++ inetutils-2.6/debian/changelog	2026-02-18 01:29:14.000000000 +0000
@@ -1,3 +1,12 @@
+inetutils (2:2.6-3+deb13u2) trixie-security; urgency=high
+
+  * Prevent privilege escalation via telnetd abusing systemd service
+    credentials support added to the login(1) implementation of util-linux in
+    release 2.40. Reported by Ron Ben Yizhak <ron.benyizhak@safebreach.com>.
+    <https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>
+
+ -- Guillem Jover <guillem@debian.org>  Wed, 18 Feb 2026 02:29:14 +0100
+
 inetutils (2:2.6-3+deb13u1) trixie-security; urgency=high
 
   * Fix remote authentication bypass in telnetd.
diff -Nru inetutils-2.6/debian/patches/series inetutils-2.6/debian/patches/series
--- inetutils-2.6/debian/patches/series	2026-01-21 16:37:32.000000000 +0000
+++ inetutils-2.6/debian/patches/series	2026-02-18 01:26:21.000000000 +0000
@@ -1,6 +1,7 @@
 # Upstream patches
 upstream/0001-Fix-injection-bug-with-bogus-user-names.patch
 upstream/0002-telnetd-Sanitize-all-variable-expansions.patch
+upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch
 # Local patches
 local/0001-build-Disable-GFDL-info-files-and-useless-man-pages.patch
 local/0002-build-Use-runstatedir-for-run-directory.patch
diff -Nru inetutils-2.6/debian/patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch inetutils-2.6/debian/patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch
--- inetutils-2.6/debian/patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch	1970-01-01 00:00:00.000000000 +0000
+++ inetutils-2.6/debian/patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch	2026-02-18 01:26:21.000000000 +0000
@@ -0,0 +1,54 @@
+From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001
+From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Date: Sun, 15 Feb 2026 15:38:50 +0100
+Subject: [PATCH] telnetd: don't allow systemd service credentials
+
+The login(1) implementation of util-linux added support for
+systemd service credentials in release 2.40.  This allows to
+bypass authentication by specifying a directory name in the
+environment variable CREDENTIALS_DIRECTORY.  If this directory
+contains a file named 'login.noauth' with the content of 'yes',
+login(1) skips authentication.
+
+GNU Inetutils telnetd supports to set arbitrary environment
+variables using the 'Environment' and 'New Environment'
+Telnet options.  This allows specifying a directory containing
+'login.noauth'.  A local user can create such a directory
+and file, and, e.g., specify the user name 'root' to escalate
+privileges.
+
+This problem was reported by Ron Ben Yizhak in
+<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
+
+This commit clears CREDENTIALS_DIRECTORY from the environment
+before executing login(1) to implement a simple fix that can
+be backported easily.
+
+* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment
+before executing 'login'.
+---
+ telnetd/pty.c | 8 ++++++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/telnetd/pty.c b/telnetd/pty.c
+index c727e7be..f3518049 100644
+--- a/telnetd/pty.c
++++ b/telnetd/pty.c
+@@ -129,6 +129,14 @@ start_login (char *host, int autologin, char *name)
+   if (!cmd)
+     fatal (net, "can't expand login command line");
+   argcv_get (cmd, "", &argc, &argv);
++
++  /* util-linux's "login" introduced an authentication bypass method
++   * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40.
++   * Clear it from the environment before executing "login" to prevent
++   * abuse via Telnet.
++   */
++  unsetenv ("CREDENTIALS_DIRECTORY");
++
+   execv (argv[0], argv);
+   syslog (LOG_ERR, "%s: %m\n", cmd);
+   fatalperror (net, cmd);
+-- 
+2.51.0
+