From: Peter Marko <[email protected]> Pick patch according to [1] (equivalent to patch from [2]).
This CVE is needed if util-linux >= 2.40 is used which is not the case in Yocto kirkstone, however it's always possible that users update packages in their layers. [1] https://security-tracker.debian.org/tracker/CVE-2026-28372 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28372 Signed-off-by: Peter Marko <[email protected]> --- .../inetutils/inetutils/CVE-2026-28372.patch | 86 +++++++++++++++++++ .../inetutils/inetutils_2.5.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch new file mode 100644 index 00000000000..4e6bf0c87ca --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch @@ -0,0 +1,86 @@ +From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001 +From: Erik Auerswald <[email protected]> +Date: Sun, 15 Feb 2026 15:38:50 +0100 +Subject: [PATCH] telnetd: don't allow systemd service credentials + +The login(1) implementation of util-linux added support for +systemd service credentials in release 2.40. This allows to +bypass authentication by specifying a directory name in the +environment variable CREDENTIALS_DIRECTORY. If this directory +contains a file named 'login.noauth' with the content of 'yes', +login(1) skips authentication. + +GNU Inetutils telnetd supports to set arbitrary environment +variables using the 'Environment' and 'New Environment' +Telnet options. This allows specifying a directory containing +'login.noauth'. A local user can create such a directory +and file, and, e.g., specify the user name 'root' to escalate +privileges. + +This problem was reported by Ron Ben Yizhak in +<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. + +This commit clears CREDENTIALS_DIRECTORY from the environment +before executing login(1) to implement a simple fix that can +be backported easily. + +* NEWS.md: Mention fix. +* THANKS: Mention Ron Ben Yizhak. +* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment +before executing 'login'. + +CVE: CVE-2026-28372 +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386] +Signed-off-by: Peter Marko <[email protected]> +--- + NEWS | 5 +++++ + THANKS | 1 + + telnetd/pty.c | 8 ++++++++ + 3 files changed, 14 insertions(+) + +diff --git a/NEWS b/NEWS +index 877ca53b..f5172a71 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,10 @@ + GNU inetutils NEWS -- history of user-visible changes. + ++** Prevent privilege escalation via telnetd abusing systemd service ++credentials support added to the login(1) implementation of util-linux ++in release 2.40. Reported by Ron Ben Yizhak in ++<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. ++ + * Noteworthy changes in release 2.5 (2023-12-29) [stable] + + ** ftpd, rcp, rlogin, rsh, rshd, uucpd +diff --git a/THANKS b/THANKS +index 8d1d3dbb..ef5f6063 100644 +--- a/THANKS ++++ b/THANKS +@@ -9,6 +9,7 @@ In particular: + NIIBE Yutaka (Security fixes & making talk finally work) + Nathan Neulinger (tftpd) + Thomas Bushnell (sockaddr sin_len field) ++ Ron Ben Yizhak (reported privilege escalation via telnetd) + + Please see version control logs and ChangeLog.? for full credits. + +diff --git a/telnetd/pty.c b/telnetd/pty.c +index c727e7be..f3518049 100644 +--- a/telnetd/pty.c ++++ b/telnetd/pty.c +@@ -130,6 +130,14 @@ start_login (char *host, int autologin, char *name) + if (!cmd) + fatal (net, "can't expand login command line"); + argcv_get (cmd, "", &argc, &argv); ++ ++ /* util-linux's "login" introduced an authentication bypass method ++ * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40. ++ * Clear it from the environment before executing "login" to prevent ++ * abuse via Telnet. ++ */ ++ unsetenv ("CREDENTIALS_DIRECTORY"); ++ + execv (argv[0], argv); + syslog (LOG_ERR, "%s: %m\n", cmd); + fatalperror (net, cmd); diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb index 486878022f0..6c53902356f 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ file://tftpd.xinetd.inetutils \ file://CVE-2026-24061-1.patch \ file://CVE-2026-24061-2.patch \ + file://CVE-2026-28372.patch \ " inherit autotools gettext update-alternatives texinfo
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232510): https://lists.openembedded.org/g/openembedded-core/message/232510 Mute This Topic: https://lists.openembedded.org/mt/118157445/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
