This patch set addresses a regression of CVE-1999-0073 (environment injection in telnetd) where the existing blacklist strategy has not been capable of neutralising all potentially dangerous environment variables introduced by modern versions of glibc.
The current implementation attempts to drop specific variables from the environment, but this approach doesn't account for many of the so-called UNSECURE_ENVVARS that can allow unauthenticated remote attackers to manipulate the login process. CONTEXT The need for a whitelist approach [1] was suggested by Simon Josefsson, and security implications [2] plus [3] additional feedback [4] was provided by Solar Designer. PATCH 1/1 The daemon now leaves the inherited environment intact, and imposes a default whitelist (USER, LOGNAME, TERM, LANG and LC_*) against all client-negotiated variables. Environment variable value sanitization is included to prevent path-based injection attacks. CHANGES IN v3 - Dropped the optional --accept-env feature. - Removed the logic that cleared the inherited environment. - Extracted duplicated setenv/unsetenv logic in telnetd/state.c into a helper function named set_env_var_if_allowed(). - Retyped the whitelist array to ensure string placement in .rodata CHANGES IN v2 - Implemented global sanitization for all whitelisted variables to explicitly reject path separators, and explicit references to the current working directory and its parent. - Extended the whitelist validation to intercept TELOPT_TTYPE negotiations to prevent questionable TERM values from bypassing the NEW_ENVIRON filter. - Setup telnetd's --accept-env option for opt-in at compile-time via the autoconf flag: --enable-accept-env [1] https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00002.html [2] https://www.openwall.com/lists/oss-security/2026/02/24/2 [3] https://www.openwall.com/lists/oss-security/2026/02/24/3 [4] https://www.openwall.com/lists/oss-security/2026/03/08/3 Justin Swartz (1): telnetd: replace environment blacklist with a whitelist. telnetd/pty.c | 32 ------------------ telnetd/state.c | 10 ++---- telnetd/telnetd.h | 3 ++ telnetd/utility.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 88 insertions(+), 40 deletions(-) --
