This patch set addresses a regression of CVE-1999-0073 (environment injection in telnetd) where the existing blacklist strategy has not been capable of neutralising all potentially dangerous environment variables introduced by modern versions of glibc.
The current implementation attempts to drop specific variables from the environment, but this approach doesn't account for many of the so-called UNSECURE_ENVVARS that can allow unauthenticated remote attackers to manipulate the login process. CONTEXT The need for a whitelist approach was suggested by Simon Josefsson [1] and security implications were put into context by Solar Designer [2]. CHANGES IN v2 The following adjustments have been made based on feedback received regarding v1: - Implemented global sanitization for all whitelisted variables to explicitly reject path separators, and explicit references to the current working directory and its parent. - Extended the whitelist validation to intercept TELOPT_TTYPE negotiations to prevent questionable TERM values from bypassing the NEW_ENVIRON filter. - Setup telnetd's --accept-env option for opt-in at compile-time via the autoconf flag: --enable-accept-env PATCH 1/2 The daemon now clears the inherited environment, preserving only PATH and TERM, before enforcing a strict default whitelist (USER, LOGNAME, TERM, LANG and LC_*) for all client-negotiated variables, coupled with value sanitization to prevent path-based injection attacks. PATCH 2/2 A new command line option, -W / --accept-env, has been introduced for administrators to explicitly extend the whitelist if specific environment variables are required. Note that this feature is optional, and must be enabled by passing --enable-accept-env on configure's command line. [1] https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00002.html [2] https://www.openwall.com/lists/oss-security/2026/02/24/2 Justin Swartz (2): telnetd: replace environment blacklist with a whitelist. telnetd: add optional --accept-env feature to extend the whitelist. configure.ac | 8 +++ telnetd/pty.c | 32 ----------- telnetd/state.c | 32 ++++++++--- telnetd/telnetd.c | 12 +++++ telnetd/telnetd.h | 7 +++ telnetd/utility.c | 134 ++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 185 insertions(+), 40 deletions(-) --
