Hi Collin, Thank you for confirming the findings and for the pull request and the credit in the NEWS file; we really appreciate it. A couple of questions about disclosure:
1. Are you planning to request a CVE for this issue (e.g. through the GNU project or another CNA), or would you prefer that we request it from our side? 2. Do you have a rough timeline for when the fix will be released (e.g. next release or patch branch), and when you expect to publish the CVE or security advisory? 3. What is your preferred process from here until public disclosure (e.g. embargo period, coordinated advisory, or anything we should avoid doing until a certain date)? We are happy to align with your process and timeline. Best regards, Adiel Sol DREAM Security Research Team ________________________________ From: Collin Funk <[email protected]> Sent: Thursday, March 12, 2026 9:49 AM To: Adiel Sol <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) [You don't often get email from [email protected]. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Adiel Sol <[email protected]> writes: > Proof of Concept > > 1. Start GNU Inetutils telnetd (e.g. with inetd or run telnetd manually) so > it listens on port 23. > 2. From another machine, connect to the telnet port and complete the initial > handshake. When the server sends DO LINEMODE, reply with WILL LINEMODE so the > server enters LINEMODE negotiation. > 3. Send a single LINEMODE SLC suboption containing at least 40 to 50 > triplets, each with a function code greater than 18 (e.g. 19, 20, 21, > ... 68). Each triplet is 3 bytes (func, flag, value). Use 0x00 for > flag and value. The suboption must be properly framed with IAC SB > LINEMODE LM_SLC at the start and IAC SE at the end. > 4. The server will call add_slc() for each triplet. After about 35 triplets > it will write past the end of slcbuf. You should observe a crash, or (if you > craft the overflow) memory corruption and possibly code execution. Thank you for the detailed analysis and reproduction steps. I confirm your findings. > Credit Request > > We kindly request that the following researchers be credited for this > discovery: > Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel - > DREAM Security Research Team > Best regards, > DREAM Security Research Team I submitted a pull request just now [1], and mentioned you all in the NEWS file. Collin [1] https://codeberg.org/inetutils/inetutils/pulls/17/files
