Erik Auerswald <[email protected]> writes: > Hi Simon, > > On Thu, Jan 22, 2026 at 09:03:00AM +0100, Simon Josefsson wrote: >> Erik Auerswald <[email protected]> writes: >> >> >> It has been suggested to pass USER value to login after a '--' >> >> parameter, which makes sense. >> > >> > Yes, that could be additional hardening, at least for GNU/Linux. >> >> So how about the attached path? Would need some testing on exotic >> platforms, but I'm not sure how to do that without putting this into a >> release and listen to feedback after 5 years. > > Looks good to me. I also think it would be OK to just add this, and > address problems if when they are reported.
Pushed here for further review and testing: https://codeberg.org/inetutils/inetutils/pulls/7 >> The code wrt passing parameters to /bin/login is complex, IMHO, which >> may be a contributing factor to why this old vulnerability was >> re-implemented here. The -E template seems like a nice thing though: >> >> https://www.gnu.org/software/inetutils/manual/inetutils.html#Crafting-an-execution-string_002e > > This might allow testing the templating code. It also allows to mitigate > this vulnerability without installing an update. Indeed, thus one workaround for telnetd's security vulnerability that wouldn't require re-compilation would be to pass -E " -p -h %h %?u{-f -- %u}{-- %U}" to telnetd. Then presumably /bin/login will reject '-f root' as an invalid username. /Simon
signature.asc
Description: PGP signature
