Erik Auerswald <[email protected]> writes: >> It has been suggested to pass USER value to login after a '--' >> parameter, which makes sense. > > Yes, that could be additional hardening, at least for GNU/Linux.
So how about the attached path? Would need some testing on exotic platforms, but I'm not sure how to do that without putting this into a release and listen to feedback after 5 years. The code wrt passing parameters to /bin/login is complex, IMHO, which may be a contributing factor to why this old vulnerability was re-implemented here. The -E template seems like a nice thing though: https://www.gnu.org/software/inetutils/manual/inetutils.html#Crafting-an-execution-string_002e (Btw, I fixed the trailing period in the section title...) /Simon
From f50a973e8da97d7b0f8ebd5afb1397bff907b173 Mon Sep 17 00:00:00 2001 From: Simon Josefsson <[email protected]> Date: Thu, 22 Jan 2026 08:55:08 +0100 Subject: [PATCH] Pass USER to /bin/login after a '--' delimiter * telnetd/telnetd (login_invocation): Add '--' for non-Solaris case. --- telnetd/telnetd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c index a2423add..219a19da 100644 --- a/telnetd/telnetd.c +++ b/telnetd/telnetd.c @@ -55,7 +55,7 @@ char *login_invocation = /* At least for SunOS 5.8. */ PATH_LOGIN " -h %h %?T{%T} %?u{-- %u}{%U}" #else /* !SOLARIS */ - PATH_LOGIN " -p -h %h %?u{-f %u}{%U}" + PATH_LOGIN " -p -h %h %?u{-f -- %u}{-- %U}" #endif ; -- 2.52.0
signature.asc
Description: PGP signature
