Hi Collin, Thank you for the pointer — we were not aware of Justin Swartz's earlier report [1]. We acknowledge that our finding is a duplicate.
We verified the exploit on both inetutils 2.0 (Debian Bullseye) and 2.7 (Debian sid, 2:2.7-3). The GCONV_PATH vector remains fully exploitable on the latest released version as of today. Our report includes a complete, self-contained PoC (Dockerfile, payload source, gconv-modules, and step-by-step reproduction instructions) — we are happy to share the full package if it would be helpful for developing and testing a fix. Regarding the patch, we recommend that scrub_env() should filter — at minimum — all variables defined in glibc's UNSECURE_ENVVARS [2]: GCONV_PATH, GETCONF_DIR, GLIBC_TUNABLES, HOSTALIASES, LD_AUDIT, LD_BIND_NOT, LD_BIND_NOW, LD_DEBUG, LD_DEBUG_OUTPUT, LD_DYNAMIC_WEAK, LD_LIBRARY_PATH, LD_ORIGIN_PATH, LD_PRELOAD, LD_PROFILE, LD_PROFILE_OUTPUT, LD_SHOW_AUXV, LD_VERBOSE, LD_WARN, LOCALDOMAIN, LOCPATH, MALLOC_ARENA_MAX, MALLOC_ARENA_TEST, MALLOC_MMAP_MAX_, MALLOC_MMAP_THRESHOLD_, MALLOC_PERTURB_, MALLOC_TOP_PAD_, MALLOC_TRACE, MALLOC_TRIM_THRESHOLD_, NIS_PATH, NLSPATH, RESOLV_HOST_CONF, RES_OPTIONS, TMPDIR, TZDIR These variables are stripped by the dynamic linker when AT_SECURE=1, but telnetd's root-to-root exec of login means AT_SECURE=0 and they all pass through unchecked. Ideally, as Justin also suggested, a whitelist-based approach (similar to OpenSSH's AcceptEnv) would be more robust than extending the current blacklist. Could you let us know when a patch is committed? We would like to verify the fix on our end. Best regards, Shi Weiming STAR Labs [1] https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00017.html [2] https://elixir.bootlin.com/glibc/glibc-2.43.9000/source/sysdeps/generic/unsecvars.h#L4 On Thu, Mar 5, 2026 at 5:16 AM Collin Funk <[email protected]> wrote: > "Labs, STAR" <[email protected]> writes: > > > our team member, Shi Weiming, would like to report the following bug in > GNU > > inetutils telnetd. > > > > # GNU inetutils telnetd Local Privilege Escalation via GCONV_PATH > > Environment Variable Injection > > This appears to be a duplicate of the issue mentioned by Justin Swartz [1]. > > Collin > > [1] https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00017.html >
