On Sat, Feb 07, 2026 at 06:58:04PM +0100, Simon Josefsson wrote: > [...] > We should review BSD telnet's etc to see if this problem has been > solved before.
According to the man pages from FreeBSD[1], NetBSD[2], and OpenBSD[3], their telnetd implementations accept(ed) any environment variables from clients. [1] https://man.freebsd.org/cgi/man.cgi?query=telnetd&apropos=0&sektion=0&manpath=FreeBSD+15.0-RELEASE+and+Ports&arch=default&format=html [2] https://man.netbsd.org/telnetd.8 [3] https://man.openbsd.org/OpenBSD-3.7/telnetd The "Security Concerns" sections of RFC 1408[4] from 1993 and RFC 1572[5] from 1994 already describe the possible problem: "[...] An example of a bad choice would be permitting a variable to be changed that allows an intruder to circumvent or compromise the login/authentication program itself." [4] https://www.rfc-editor.org/rfc/rfc1408.html#section-7 [5] https://www.rfc-editor.org/rfc/rfc1572#section-7 Cheers, Erik
