This patch set addresses a regression of CVE-1999-0073 (environment injection in telnetd) where the existing blacklist strategy has not been capable of neutralising all potentially dangerous environment variables introduced by modern versions of glibc.
The current implementation attempts to drop specific variables from the environment, but this approach doesn't account for many of the so-called UNSECURE_ENVVARS that can allow unauthenticated remote attackers to manipulate the login process. CONTEXT The need for a whitelist approach was suggested by Simon Josefsson [1] and security implications were put into context by Solar Designer [2]. PATCH 1/2 The daemon now clears the inherited environment, preserving only PATH and TERM, before enforcing a strict default whitelist (USER, LOGNAME, TERM, LANG and LC_*) for all client-negotiated variables. PATCH 2/2 A new command line option, -W / --accept-env, has been introduced for administrators to explicitly extend the whitelist if specific environment variables are required. [1] https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00002.html [2] https://www.openwall.com/lists/oss-security/2026/02/24/2 Justin Swartz (2): telnetd: replace environment blacklist with a whitelist. telnetd: add --accept-env option to extend the whitelist. telnetd/pty.c | 32 ----------------- telnetd/state.c | 26 +++++++++++--- telnetd/telnetd.c | 8 +++++ telnetd/telnetd.h | 4 +++ telnetd/utility.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 124 insertions(+), 36 deletions(-) --
