Hi Simon, On Thu, Jan 22, 2026 at 09:03:00AM +0100, Simon Josefsson wrote: > Erik Auerswald <[email protected]> writes: > > >> It has been suggested to pass USER value to login after a '--' > >> parameter, which makes sense. > > > > Yes, that could be additional hardening, at least for GNU/Linux. > > So how about the attached path? Would need some testing on exotic > platforms, but I'm not sure how to do that without putting this into a > release and listen to feedback after 5 years.
Looks good to me. I also think it would be OK to just add this, and address problems if when they are reported. > The code wrt passing parameters to /bin/login is complex, IMHO, which > may be a contributing factor to why this old vulnerability was > re-implemented here. The -E template seems like a nice thing though: > > https://www.gnu.org/software/inetutils/manual/inetutils.html#Crafting-an-execution-string_002e This might allow testing the templating code. It also allows to mitigate this vulnerability without installing an update. > (Btw, I fixed the trailing period in the section title...) :-) Thanks, Erik
