Version in base suite: 2.6-3+deb13u2 Base version: inetutils_2.6-3+deb13u2 Target version: inetutils_2.6-3+deb13u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/inetutils/inetutils_2.6-3+deb13u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/inetutils/inetutils_2.6-3+deb13u3.dsc changelog | 44 + local/man/telnetd.8 | 10 patches/local/0007-gnulib-update.patch | 112 ++++ patches/local/0008-telnet-Do-not-leak-environment-variables-not-marked-.patch | 162 ++++++ patches/local/0009-telnetd-Prevent-user-local-privilege-escalation-usin.patch | 178 ++++++ patches/series | 5 patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch | 5 patches/upstream/0004-telnetd-add-the-new-accept-env-option.patch | 258 ++++++++++ patches/upstream/0005-telnetd-fix-stack-buffer-overflow-processing-SLC-sub.patch | 40 + 9 files changed, 804 insertions(+), 10 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmps350fob0/inetutils_2.6-3+deb13u2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmps350fob0/inetutils_2.6-3+deb13u3.dsc: no acceptable signature found diff -Nru inetutils-2.6/debian/changelog inetutils-2.6/debian/changelog --- inetutils-2.6/debian/changelog 2026-02-18 01:29:14.000000000 +0000 +++ inetutils-2.6/debian/changelog 2026-03-30 14:44:03.000000000 +0000 @@ -1,18 +1,46 @@ +inetutils (2:2.6-3+deb13u3) trixie-security; urgency=high + + * Add patches from upstream: + - Ignore all environment options from clients unless the variable was + listed in the new --accept-env telnetd option. This mitigates privilege + escalation using environment variables. + This is the complete fix for CVE-2026-24061, with its own CVE pending. + - Fix stack buffer overflow processing SLC suboption triplets. + Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, + Daniel Lubel at DREAM Security Research Team. + Fixes CVE-2026-32746. (Closes: #1130742) + * Add the hashcode-string1 module from forky/sid gnulib, required by the + --accept-env patch. + * Adapt netkit-telnet patch to not leak unexported environment variables to + telnetd. Reported by Justin Swartz . + Fixes CVE-2026-32772. (Closes: #1130741) + * Prevent user local privilege escalation using --debug, which was + susceptible to symlink attacks, or leaking on-wire credentials to a + user that had pre-created the file and kept it open. Fix by switching + from /tmp/telnet.debug to /run/telnet/debug., and making the + setup error checks fatal. + Partially reported by Justin Swartz . + * Update local telnetd man page to match new --debug behavior. + + -- Guillem Jover Mon, 30 Mar 2026 16:44:03 +0200 + inetutils (2:2.6-3+deb13u2) trixie-security; urgency=high - * Prevent privilege escalation via telnetd abusing systemd service - credentials support added to the login(1) implementation of util-linux in - release 2.40. Reported by Ron Ben Yizhak . - + * Add patch from upstream: + - Prevent privilege escalation via telnetd abusing systemd service + credentials support added to the login(1) implementation of util-linux in + release 2.40. Reported by Ron Ben Yizhak . + Fixes CVE-2026-28372. -- Guillem Jover Wed, 18 Feb 2026 02:29:14 +0100 inetutils (2:2.6-3+deb13u1) trixie-security; urgency=high - * Fix remote authentication bypass in telnetd. - GNU InetUtils Security Advisory: - - Fixes CVE-2026-24061. (Closes: #1126047) + * Add patch from upstream: + - Fix remote authentication bypass in telnetd. + GNU InetUtils Security Advisory: + + Fixes CVE-2026-24061. (Closes: #1126047) -- Guillem Jover Wed, 21 Jan 2026 17:37:32 +0100 diff -Nru inetutils-2.6/debian/local/man/telnetd.8 inetutils-2.6/debian/local/man/telnetd.8 --- inetutils-2.6/debian/local/man/telnetd.8 2026-01-21 17:15:55.000000000 +0000 +++ inetutils-2.6/debian/local/man/telnetd.8 2026-03-30 14:44:03.000000000 +0000 @@ -124,10 +124,16 @@ This option may be used for debugging purposes. This allows .Nm telnetd -to print out debugging information -to the connection, allowing the user to see what +to write out debugging information to a +.Pa /run/telnet/debug.PID +file, allowing the user to see what .Nm telnetd is doing. +The exact file will be printed by +.Nm telnetd +on the +.Nm telnet +session. There are several possible values for .Ar debugmode : .Bl -tag -width exercise diff -Nru inetutils-2.6/debian/patches/local/0007-gnulib-update.patch inetutils-2.6/debian/patches/local/0007-gnulib-update.patch --- inetutils-2.6/debian/patches/local/0007-gnulib-update.patch 1970-01-01 00:00:00.000000000 +0000 +++ inetutils-2.6/debian/patches/local/0007-gnulib-update.patch 2026-03-30 14:44:03.000000000 +0000 @@ -0,0 +1,112 @@ +Description: Add the required gnulib code from forky/sid + The 0004-telnetd-add-the-new-accept-env-option.patch patch, requires these + modules which are not available in trixie gnulib and ealier. +Origin: vendor, Debian +Forwarded: not-needed + +--- /dev/null 2026-03-14 02:11:03.078119351 +0100 ++++ b/lib/hashcode-string1.c 2026-01-09 13:26:01.000000000 +0100 +@@ -0,0 +1,62 @@ ++/* hashcode-string1.c -- compute a hash value from a NUL-terminated string. ++ ++ Copyright (C) 1998-2004, 2006-2007, 2009-2026 Free Software Foundation, Inc. ++ ++ This file is free software: you can redistribute it and/or modify ++ it under the terms of the GNU Lesser General Public License as ++ published by the Free Software Foundation; either version 2.1 of the ++ License, or (at your option) any later version. ++ ++ This file is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public License ++ along with this program. If not, see . */ ++ ++#include ++ ++/* Specification. */ ++#include "hashcode-string1.h" ++ ++#if USE_DIFF_HASH ++ ++# include "bitrotate.h" ++ ++/* About hashings, Paul Eggert writes to me (FP), on 1994-01-01: "Please see ++ B. J. McKenzie, R. Harries & T. Bell, Selecting a hashing algorithm, ++ Software--practice & experience 20, 2 (Feb 1990), 209-224. Good hash ++ algorithms tend to be domain-specific, so what's good for [diffutils'] io.c ++ may not be good for your application." */ ++ ++size_t ++hash_string (const char *string, size_t tablesize) ++{ ++ size_t value = 0; ++ unsigned char ch; ++ ++ for (; (ch = *string); string++) ++ value = ch + rotl_sz (value, 7); ++ return value % tablesize; ++} ++ ++#else /* not USE_DIFF_HASH */ ++ ++/* This one comes from 'recode', and performs a bit better than the above as ++ per a few experiments. It is inspired from a hashing routine found in the ++ very old Cyber 'snoop', itself written in typical Greg Mansfield style. ++ (By the way, what happened to this excellent man? Is he still alive?) */ ++ ++size_t ++hash_string (const char *string, size_t tablesize) ++{ ++ size_t value = 0; ++ unsigned char ch; ++ ++ for (; (ch = *string); string++) ++ value = (value * 31 + ch) % tablesize; ++ return value; ++} ++ ++#endif /* not USE_DIFF_HASH */ +--- /dev/null 2026-03-14 02:11:03.078119351 +0100 ++++ b/lib/hashcode-string1.h 2026-01-09 13:26:01.000000000 +0100 +@@ -0,0 +1,38 @@ ++/* hashcode-string1.h -- declaration for a simple hash function ++ Copyright (C) 1998-2004, 2006-2007, 2009-2026 Free Software Foundation, Inc. ++ ++ This file is free software: you can redistribute it and/or modify ++ it under the terms of the GNU Lesser General Public License as ++ published by the Free Software Foundation; either version 2.1 of the ++ License, or (at your option) any later version. ++ ++ This file is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public License ++ along with this program. If not, see . */ ++ ++/* This file uses _GL_ATTRIBUTE_PURE. */ ++#if !_GL_CONFIG_H_INCLUDED ++ #error "Please include config.h first." ++#endif ++ ++#include ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++ ++/* Compute a hash code for a NUL-terminated string S, ++ and return the hash code modulo TABLESIZE. ++ The result is platform dependent: it depends on the size of the 'size_t' ++ type. */ ++extern size_t hash_string (char const *s, size_t tablesize) _GL_ATTRIBUTE_PURE; ++ ++ ++#ifdef __cplusplus ++} ++#endif diff -Nru inetutils-2.6/debian/patches/local/0008-telnet-Do-not-leak-environment-variables-not-marked-.patch inetutils-2.6/debian/patches/local/0008-telnet-Do-not-leak-environment-variables-not-marked-.patch --- inetutils-2.6/debian/patches/local/0008-telnet-Do-not-leak-environment-variables-not-marked-.patch 1970-01-01 00:00:00.000000000 +0000 +++ inetutils-2.6/debian/patches/local/0008-telnet-Do-not-leak-environment-variables-not-marked-.patch 2026-03-30 14:44:03.000000000 +0000 @@ -0,0 +1,162 @@ +From 920740d13e8d07b51c95c61e8a6c111027cfdd2f Mon Sep 17 00:00:00 2001 +From: Guillem Jover +Date: Mon, 23 Mar 2026 23:36:56 +0100 +Subject: [PATCH] telnet: Do not leak environment variables not marked for + export to telnetd + +A telnet server can read a client's environment variables with the +NEW-ENVIRON option and the SEND ENV_USERVAR command. + +This had previously been reported as CVE-2005-0488, but inetutils never +got a fix for it. + +Reported-by: Justin Swartz +Based-on-patch: https://gitlab.com/redhat/centos-stream/rpms/telnet/-/blob/c9s/telnet-0.17-env.patch +Link: https://www.openwall.com/lists/oss-security/2026/03/13/1 +Fixes: CVE-2026-32772 +Origin: vendor, Debian +Forwarded: no +--- + libtelnet/misc-proto.h | 4 +++- + telnet/authenc.c | 4 ++-- + telnet/commands.c | 5 +++-- + telnet/externs.h | 4 +++- + telnet/telnet.c | 10 +++++----- + 5 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/libtelnet/misc-proto.h b/libtelnet/misc-proto.h +index 58031a01..f36d0c2a 100644 +--- a/libtelnet/misc-proto.h ++++ b/libtelnet/misc-proto.h +@@ -68,6 +68,8 @@ + #ifndef __MISC_PROTO__ + # define __MISC_PROTO__ + ++#include ++ + void auth_encrypt_init (char *, char *, char *, char *, int); + void auth_encrypt_user (char *); + void auth_encrypt_connect (int); +@@ -79,6 +81,6 @@ void printd (unsigned char *, int); + int net_write (unsigned char *, int); + void net_encrypt (void); + int telnet_spin (void); +-char *telnet_getenv (char *); ++char *telnet_getenv (char *, bool); + char *telnet_gets (char *, char *, int, int); + #endif +diff --git a/telnet/authenc.c b/telnet/authenc.c +index 82741770..8f3adedd 100644 +--- a/telnet/authenc.c ++++ b/telnet/authenc.c +@@ -91,9 +91,9 @@ telnet_spin (void) + } + + char * +-telnet_getenv (char *val) ++telnet_getenv (char *val, bool exported_only) + { +- return ((char *) env_getvalue (val)); ++ return ((char *) env_getvalue (val, exported_only)); + } + + char * +diff --git a/telnet/commands.c b/telnet/commands.c +index b904933d..d699da04 100644 +--- a/telnet/commands.c ++++ b/telnet/commands.c +@@ -67,6 +67,7 @@ + #include + #include + ++#include + #include + #include + #include /* LLONG_MAX for Solaris. */ +@@ -2050,10 +2051,10 @@ env_default (int init, int welldefined) + } + + unsigned char * +-env_getvalue (const char *var) ++env_getvalue (const char *var, bool exported_only) + { + struct env_lst *ep = env_find (var); +- if (ep) ++ if (ep && (!exported_only || ep->export)) + return (ep->value); + return (NULL); + } +diff --git a/telnet/externs.h b/telnet/externs.h +index ce5d43b7..b577fd9a 100644 +--- a/telnet/externs.h ++++ b/telnet/externs.h +@@ -67,6 +67,7 @@ + # endif + #endif + ++#include + #include + #include + #if defined CRAY && !defined NO_BSD_SETJMP +@@ -331,7 +332,8 @@ env_opt (unsigned char *, int), + env_opt_start (void), + env_opt_start_info (void), env_opt_add (unsigned char *), env_opt_end (int); + +-extern unsigned char *env_default (int, int), *env_getvalue (const char *); ++extern unsigned char *env_default (int, int); ++extern unsigned char *env_getvalue (const char *, bool); + + int dosynch (const char *); + int get_status (const char *); +diff --git a/telnet/telnet.c b/telnet/telnet.c +index 1efa50ab..be8e07a3 100644 +--- a/telnet/telnet.c ++++ b/telnet/telnet.c +@@ -496,7 +496,7 @@ dooption (int option) + #endif + + case TELOPT_XDISPLOC: /* X Display location */ +- if (env_getvalue ("DISPLAY")) ++ if (env_getvalue ("DISPLAY", false)) + new_state_ok = 1; + break; + +@@ -793,7 +793,7 @@ gettermname (void) + resettermname = 0; + if (tnamep && tnamep != unknown) + free (tnamep); +- if ((tname = (char *) env_getvalue ("TERM")) && ++ if ((tname = (char *) env_getvalue ("TERM", false)) && + (init_term (tname, &err) == 0)) + { + tnamep = mklist (termbuf, tname); +@@ -992,7 +992,7 @@ suboption (void) + unsigned char temp[50], *dp; + int len; + +- if ((dp = env_getvalue ("DISPLAY")) == NULL) ++ if ((dp = env_getvalue ("DISPLAY", false)) == NULL) + { + /* + * Something happened, we no longer have a DISPLAY +@@ -1727,7 +1727,7 @@ env_opt_add (unsigned char *ep) + env_opt_add (ep); + return; + } +- vp = env_getvalue ((char *) ep); ++ vp = env_getvalue ((char *) ep, true); + if (opt_replyp + (vp ? strlen ((char *) vp) : 0) + + strlen ((char *) ep) + 6 > opt_replyend) + { +@@ -2484,7 +2484,7 @@ telnet (char *user) + send_will (TELOPT_LINEMODE, 1); + send_will (TELOPT_NEW_ENVIRON, 1); + send_do (TELOPT_STATUS, 1); +- if (env_getvalue ("DISPLAY")) ++ if (env_getvalue ("DISPLAY", false)) + send_will (TELOPT_XDISPLOC, 1); + if (eight) + tel_enter_binary (eight); +-- +2.53.0 + diff -Nru inetutils-2.6/debian/patches/local/0009-telnetd-Prevent-user-local-privilege-escalation-usin.patch inetutils-2.6/debian/patches/local/0009-telnetd-Prevent-user-local-privilege-escalation-usin.patch --- inetutils-2.6/debian/patches/local/0009-telnetd-Prevent-user-local-privilege-escalation-usin.patch 1970-01-01 00:00:00.000000000 +0000 +++ inetutils-2.6/debian/patches/local/0009-telnetd-Prevent-user-local-privilege-escalation-usin.patch 2026-03-30 14:44:03.000000000 +0000 @@ -0,0 +1,178 @@ +From 2fbe8789599fb46844b03f45ce28af743528e767 Mon Sep 17 00:00:00 2001 +From: Guillem Jover +Date: Mon, 23 Mar 2026 23:38:13 +0100 +Subject: [PATCH] telnetd: Prevent user local privilege escalation using + --debug + +Do not try to open an existing hardcoded /tmp/telnet.debug file for +appending debug logging, as that is going to be fraught with security +issues. + +This would require at least making sure we do not follow symlinks, and +that the permissions and ownership are safe. But that would not prevent +a user pre-creating a file and then keeping it open, which means any +authentication logged would get snooped. + +Simply aborting on file existence during open, is not an option either +because then we can only serve a single client. And switching to log +all the debugging output, which amounts to the telnet protocol stream, +into syslog would leak user credentials, might be too verbose for +syslog, and would need to be sanitized somehow anyway. + +Instead, we switch to use a subdirectory under /run, where we write one +debug output file per server process, designated by its pid, in the form +of /run/telnet/debug., and make any error when setting this up +fatal. + +Partially-reported-by: Justin Swartz +Link: https://lists.gnu.org/r/bug-inetutils/2026-03/msg00040.html +Origin: vendor, Debian +Forwarded: no +--- + paths | 1 + + telnetd/Makefile.am | 3 ++- + telnetd/telnetd.c | 1 + + telnetd/telnetd.h | 2 ++ + telnetd/utility.c | 41 ++++++++++++++++++++++++++--------------- + 5 files changed, 32 insertions(+), 16 deletions(-) + +diff --git a/paths b/paths +index 93ecf7ab..8e86e03e 100644 +--- a/paths ++++ b/paths +@@ -78,6 +78,7 @@ PATH_FTPUSERS $(sysconfdir)/ftpusers + PATH_FTPCHROOT $(sysconfdir)/ftpchroot + PATH_FTPWELCOME $(sysconfdir)/ftpwelcome + PATH_FTPDPID $(runstatedir)/ftpd.pid ++PATH_TELNETDBGD $(runstatedir)/telnet + PATH_INETDCONF $(sysconfdir)/inetd.conf + PATH_INETDDIR $(sysconfdir)/inetd.d + PATH_INETDPID $(runstatedir)/inetd.pid +diff --git a/telnetd/Makefile.am b/telnetd/Makefile.am +index 7e9916be..3e1f0a7d 100644 +--- a/telnetd/Makefile.am ++++ b/telnetd/Makefile.am +@@ -22,7 +22,8 @@ AM_CPPFLAGS = \ + $(iu_INCLUDES) \ + -I$(top_srcdir) \ + $(INCAUTH) $(NCURSES_INCLUDE) \ +- $(PATHDEF_DEV) $(PATHDEF_TTY) $(PATHDEF_TTY_PFX) $(PATHDEF_LOGIN) ++ $(PATHDEF_DEV) $(PATHDEF_TTY) $(PATHDEF_TTY_PFX) $(PATHDEF_LOGIN) \ ++ $(PATHDEF_TELNETDBGD) + + LDADD = \ + $(top_builddir)/libtelnet/libtelnet.a \ +diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c +index 104d9c16..0db8468e 100644 +--- a/telnetd/telnetd.c ++++ b/telnetd/telnetd.c +@@ -182,6 +182,7 @@ parse_opt (int key, char *arg, struct argp_state *state MAYBE_UNUSED) + + case 'D': + parse_debug_level (arg); ++ debug_open (); + break; + + case 'E': +diff --git a/telnetd/telnetd.h b/telnetd/telnetd.h +index 3d7ebeef..1c9759a4 100644 +--- a/telnetd/telnetd.h ++++ b/telnetd/telnetd.h +@@ -287,6 +287,8 @@ extern void printdata (char *, char *, int); + extern void printsub (int, unsigned char *, int); + extern void debug_output_datalen (const char *data, size_t len); + extern void debug_output_data (const char *fmt, ...); ++extern void debug_open (void); ++extern void debug_close (void); + + /* TTY functions */ + extern void init_termbuf (void); +diff --git a/telnetd/utility.c b/telnetd/utility.c +index 1e7adb08..803da196 100644 +--- a/telnetd/utility.c ++++ b/telnetd/utility.c +@@ -27,6 +27,7 @@ + # include + #endif + #include ++#include + + #if defined AUTHENTICATION || defined ENCRYPTION + # include +@@ -894,47 +895,58 @@ terminaltypeok (char *s) + /* Debugging support */ + + static FILE *debug_fp = NULL; ++static char *debug_file = NULL; + +-static int ++void + debug_open (void) + { +- int um = umask (077); ++ int fd; ++ ++ if (debug_fp) ++ return; ++ ++ if (mkdir (PATH_TELNETDBGD, 0700) < 0 && errno != EEXIST) ++ fatalperror (pty, "cannot create debug output directory"); ++ ++ if (asprintf (&debug_file, "%s/debug.%d", PATH_TELNETDBGD, getpid()) < 0) ++ fatalperror (pty, "cannot allocate debug output filename"); ++ ++ fd = open (debug_file, O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC, 0600); ++ if (fd < 0) ++ fatalperror (pty, "cannot open debug output file"); ++ ++ debug_fp = fdopen (fd, "a"); + if (!debug_fp) +- debug_fp = fopen ("/tmp/telnet.debug", "a"); +- umask (um); +- return debug_fp == NULL; ++ fatalperror (pty, "cannot associate stream to debug file descriptor"); ++ ++ setlinebuf (debug_fp); ++ ++ dprintf (pty, "Debug output log file is '%s'.\n", debug_file); + } + +-static int ++void + debug_close (void) + { + if (debug_fp) + fclose (debug_fp); ++ free (debug_file); + debug_fp = NULL; +- +- return 0; + } + + void + debug_output_datalen (const char *data, size_t len) + { +- if (debug_open ()) +- return; +- + fwrite (data, 1, len, debug_fp); +- debug_close (); + } + + void + debug_output_data (const char *fmt, ...) + { + va_list ap; +- if (debug_open ()) +- return; ++ + va_start (ap, fmt); + vfprintf (debug_fp, fmt, ap); + va_end (ap); +- debug_close (); + } + + /* +-- +2.53.0 + diff -Nru inetutils-2.6/debian/patches/series inetutils-2.6/debian/patches/series --- inetutils-2.6/debian/patches/series 2026-02-18 01:26:21.000000000 +0000 +++ inetutils-2.6/debian/patches/series 2026-03-30 14:44:03.000000000 +0000 @@ -2,6 +2,8 @@ upstream/0001-Fix-injection-bug-with-bogus-user-names.patch upstream/0002-telnetd-Sanitize-all-variable-expansions.patch upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch +upstream/0004-telnetd-add-the-new-accept-env-option.patch +upstream/0005-telnetd-fix-stack-buffer-overflow-processing-SLC-sub.patch # Local patches local/0001-build-Disable-GFDL-info-files-and-useless-man-pages.patch local/0002-build-Use-runstatedir-for-run-directory.patch @@ -9,3 +11,6 @@ local/0004-Use-krb5_auth_con_getsendsubkey-instead-of-krb5_auth.patch local/0005-inetd-Add-new-foreground-option.patch local/0006-tests-Remove-bogus-test-for-unsorted-file-listing.patch +local/0007-gnulib-update.patch +local/0008-telnet-Do-not-leak-environment-variables-not-marked-.patch +local/0009-telnetd-Prevent-user-local-privilege-escalation-usin.patch diff -Nru inetutils-2.6/debian/patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch inetutils-2.6/debian/patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch --- inetutils-2.6/debian/patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch 2026-02-18 01:26:21.000000000 +0000 +++ inetutils-2.6/debian/patches/upstream/0001-telnetd-don-t-allow-systemd-service-credentials.patch 2026-03-30 14:44:03.000000000 +0000 @@ -26,6 +26,11 @@ * telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment before executing 'login'. + +Reported-by: Ron Ben Yizhak +Fixes: CVE-2026-28372 +Origin: upstream, commit:4db2f19f4caac03c7f4da6363c140bd70df31386 +Forwarded: not-needed --- telnetd/pty.c | 8 ++++++++ 3 files changed, 14 insertions(+) diff -Nru inetutils-2.6/debian/patches/upstream/0004-telnetd-add-the-new-accept-env-option.patch inetutils-2.6/debian/patches/upstream/0004-telnetd-add-the-new-accept-env-option.patch --- inetutils-2.6/debian/patches/upstream/0004-telnetd-add-the-new-accept-env-option.patch 1970-01-01 00:00:00.000000000 +0000 +++ inetutils-2.6/debian/patches/upstream/0004-telnetd-add-the-new-accept-env-option.patch 2026-03-30 14:44:03.000000000 +0000 @@ -0,0 +1,258 @@ +From d46bd3ccd013e5f0d251862cadab71ba4d4c2caa Mon Sep 17 00:00:00 2001 +From: Collin Funk +Date: Thu, 5 Mar 2026 21:35:22 -0800 +Subject: [PATCH 4/5] telnetd: add the new --accept-env option + +This changes telnetd to ignore all environment options from clients +unless the variable was listed by an --accept-env option. This +mitigates the many ways to escalate privileges using environment +variables. + +* NEWS.md: Mention the change. +* bootstrap.conf (gnulib_modules): Add hashcode-string1, hash-set, and +xset. +* doc/inetutils.texi (telnetd invocation): Mention the new option. +* telnetd/pty.c (scrub_env): Remove function. +(start_login): Remove call to scrub_env. Remove unsetenv call that is +no longer needed. +* telnetd/state.c (suboption): Check for the environment variable in +accept_env_set before making changes to the environment. +* telnetd/telnetd.c (accept_env_set): New variable. +(string_hashcode, string_equals): New function needed for +gl_set_create_empty. +(ACCEPT_ENV_OPTION): New definition. +(argp_options): Add the --accept-env option. +(parse_opt): Process the new option. +(telnetd_setup): Clear the environment before processing options. +* telnetd/telnetd.h: Include gl_hash_set.h, gl_xset.h, and +hashcode-string1.h. +(accept_env_set): New declaration. + +Origin: upstream, commit:81d436d26d5497423e28841af91756e373446cf4 +Forwarded: not-needed +--- + bootstrap.conf | 3 +++ + doc/inetutils.texi | 6 ++++++ + telnetd/pty.c | 32 -------------------------------- + telnetd/state.c | 22 ++++++++++++++-------- + telnetd/telnetd.c | 44 ++++++++++++++++++++++++++++++++++++-------- + telnetd/telnetd.h | 4 ++++ + 6 files changed, 63 insertions(+), 48 deletions(-) + +--- a/bootstrap.conf ++++ b/bootstrap.conf +@@ -66,6 +66,8 @@ getusershell + git-version-gen + gitlog-to-changelog + glob ++hashcode-string1 ++hash-set + intprops + inttostr + inttypes +@@ -117,6 +119,7 @@ xalloc-die + xgetcwd + xgetdomainname + xgethostname ++xset + xsize + xstrtoimax + xvasprintf +--- a/doc/inetutils.texi ++++ b/doc/inetutils.texi +@@ -4952,6 +4952,12 @@ telnetd [@var{option}]@dots{} + @end example + + @table @option ++@item --accept-env @var{VAR} ++@opindex --accept-env ++Allow clients to define the @var{VAR} environment variable. GNU ++@command{telnetd} removes all environment variables by default since ++many of them can be used to escalate privileges. ++ + @item -a @var{authmode} + @itemx --authmode=@var{authmode} + @opindex -a +--- a/telnetd/pty.c ++++ b/telnetd/pty.c +@@ -83,29 +83,6 @@ startslave (char *host, int autologin, c + return master; + } + +-/* +- * scrub_env() +- * +- * Remove a few things from the environment that +- * don't need to be there. +- * +- * Security fix included in telnet-95.10.23.NE of David Borman . +- */ +-static void +-scrub_env (void) +-{ +- char **cpp, **cpp2; +- +- for (cpp2 = cpp = environ; *cpp; cpp++) +- { +- if (strncmp (*cpp, "LD_", 3) +- && strncmp (*cpp, "_RLD_", 5) +- && strncmp (*cpp, "LIBPATH=", 8) && strncmp (*cpp, "IFS=", 4)) +- *cpp2++ = *cpp; +- } +- *cpp2 = 0; +-} +- + void + start_login (char *host, int autologin, char *name) + { +@@ -117,8 +94,6 @@ start_login (char *host, int autologin, + (void) autologin; + (void) name; + +- scrub_env (); +- + /* Set the environment variable "LINEMODE" to indicate our linemode */ + if (lmodetype == REAL_LINEMODE) + setenv ("LINEMODE", "real", 1); +@@ -130,13 +105,6 @@ start_login (char *host, int autologin, + fatal (net, "can't expand login command line"); + argcv_get (cmd, "", &argc, &argv); + +- /* util-linux's "login" introduced an authentication bypass method +- * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40. +- * Clear it from the environment before executing "login" to prevent +- * abuse via Telnet. +- */ +- unsetenv ("CREDENTIALS_DIRECTORY"); +- + execv (argv[0], argv); + syslog (LOG_ERR, "%s: %m\n", cmd); + fatalperror (net, cmd); +--- a/telnetd/state.c ++++ b/telnetd/state.c +@@ -1495,10 +1495,13 @@ suboption (void) + case NEW_ENV_VAR: + case ENV_USERVAR: + *cp = '\0'; +- if (valp) +- setenv (varp, valp, 1); +- else +- unsetenv (varp); ++ if (accept_env_set && gl_set_search (accept_env_set, varp)) ++ { ++ if (valp) ++ setenv (varp, valp, 1); ++ else ++ unsetenv (varp); ++ } + cp = varp = (char *) subpointer; + valp = 0; + break; +@@ -1514,10 +1517,13 @@ suboption (void) + } + } + *cp = '\0'; +- if (valp) +- setenv (varp, valp, 1); +- else +- unsetenv (varp); ++ if (accept_env_set && gl_set_search (accept_env_set, varp)) ++ { ++ if (valp) ++ setenv (varp, valp, 1); ++ else ++ unsetenv (varp); ++ } + break; + } /* end of case TELOPT_NEW_ENVIRON */ + #if defined AUTHENTICATION +--- a/telnetd/telnetd.c ++++ b/telnetd/telnetd.c +@@ -105,10 +105,32 @@ char *terminaltype; + + int SYNCHing; /* we are in TELNET SYNCH mode */ + struct telnetd_clocks clocks; +- ++ ++/* Set of environment variables that we do not remove from clients. */ ++gl_set_t accept_env_set = NULL; ++ ++static size_t ++string_hashcode (const void *s) ++{ ++ return hash_string (s, strlen (s)); ++} ++ ++static bool ++string_equals (const void *a, const void *b) ++{ ++ return strcmp (a, b) == 0; ++} ++ ++/* List of long options without short option counterparts. */ ++enum ++{ ++ ACCEPT_ENV_OPTION = UCHAR_MAX + 1 ++}; + + static struct argp_option argp_options[] = { + #define GRID 10 ++ {"accept-env", ACCEPT_ENV_OPTION, "NAME", 0, ++ "accept the environment variable from clients", GRID}, + {"debug", 'D', "LEVEL", OPTION_ARG_OPTIONAL, + "set debugging level", GRID}, + {"exec-login", 'E', "STRING", 0, +@@ -144,6 +166,14 @@ parse_opt (int key, char *arg, struct ar + { + switch (key) + { ++ ++ case ACCEPT_ENV_OPTION: ++ if (!accept_env_set) ++ accept_env_set = gl_set_create_empty (GL_HASH_SET, string_equals, ++ string_hashcode, NULL); ++ gl_set_add (accept_env_set, arg); ++ break; ++ + #ifdef AUTHENTICATION + case 'a': + parse_authmode (arg); +@@ -497,13 +527,11 @@ telnetd_setup (int fd) + + io_setup (); + +- /* Before doing anything related to the identity of the client, +- * scrub the environment variable USER, since it may be set with +- * an irrelevant user name at this point. OpenBSD has been known +- * to offend at this point with their own inetd. Any demand for +- * autologin will get attention in getterminaltype(). +- */ +- unsetenv ("USER"); ++ /* Clear the environment of all variables before doing anything. This avoids ++ many ways of escalating privileges. Environment variable options sent by ++ the client will be checked against ACCEPT_ENV_SET. */ ++ static char *dummy_environ[] = { NULL }; ++ environ = dummy_environ; + + /* get terminal type. */ + uname[0] = 0; +--- a/telnetd/telnetd.h ++++ b/telnetd/telnetd.h +@@ -57,6 +57,9 @@ + #define obstack_chunk_free free + #include + ++#include "gl_hash_set.h" ++#include "gl_xset.h" ++#include "hashcode-string1.h" + #include "xalloc.h" + + #ifndef HAVE_CC_T +@@ -251,6 +254,7 @@ extern char *user_name; + extern int pty, net; + extern int SYNCHing; /* we are in TELNET SYNCH mode */ + extern struct telnetd_clocks clocks; ++extern gl_set_t accept_env_set; + extern char line[]; + + extern char *xstrdup (const char *); diff -Nru inetutils-2.6/debian/patches/upstream/0005-telnetd-fix-stack-buffer-overflow-processing-SLC-sub.patch inetutils-2.6/debian/patches/upstream/0005-telnetd-fix-stack-buffer-overflow-processing-SLC-sub.patch --- inetutils-2.6/debian/patches/upstream/0005-telnetd-fix-stack-buffer-overflow-processing-SLC-sub.patch 1970-01-01 00:00:00.000000000 +0000 +++ inetutils-2.6/debian/patches/upstream/0005-telnetd-fix-stack-buffer-overflow-processing-SLC-sub.patch 2026-03-30 14:44:03.000000000 +0000 @@ -0,0 +1,40 @@ +From 6a2c3aa5c4ca5f09bdb6fdb28d9d369432506f3f Mon Sep 17 00:00:00 2001 +From: Collin Funk +Date: Wed, 11 Mar 2026 23:06:46 -0700 +Subject: [PATCH 5/5] telnetd: fix stack buffer overflow processing SLC + suboption triplets + +Previously a client could write past the end of an internal buffer using +an SLC suboption with many triplets using function octets greater than +18, possibly leading to remote code execution. Reported by Adiel Sol, +Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel at DREAM +Security Research Team at: +. + +* telnetd/slc.c (add_slc): Return early if writing the tuple would lead +us to writing past the end of the buffer. + +Fixes: CVE-2026-32746 +Origin: upstream, commit:95751794e3da2eebd605238ddbff2232b68edb5f +Forwarded: not-needed +--- + telnetd/slc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/telnetd/slc.c b/telnetd/slc.c +index 9b5cadd0..e87a5a96 100644 +--- a/telnetd/slc.c ++++ b/telnetd/slc.c +@@ -162,6 +162,9 @@ get_slc_defaults (void) + void + add_slc (char func, char flag, cc_t val) + { ++ /* Do nothing if the entire triplet cannot fit in the buffer. */ ++ if (slcbuf + sizeof slcbuf - slcptr <= 6) ++ return; + + if ((*slcptr++ = (unsigned char) func) == 0xff) + *slcptr++ = 0xff; +-- +2.53.0 +