On Tue, Feb 24, 2026 at 06:29:43AM +0100, Solar Designer wrote:
> On Tue, Feb 24, 2026 at 03:17:02AM +0200, Justin Swartz wrote:
> > In my opinion, to fix this issue and finally put the ghost of CVE-1999-0073
> > to rest: telnetd must drop the blacklist approach and adopt the OpenSSH
> > AcceptEnv-style approach suggested by Simon Josefsson [1], which amounts to
> > preparing a brand new environment for /bin/login based on a strict
> > whitelist of variables names considered to be "safe", and perhaps a healthy
> > dose of input sanitization for their respective values.
>
> Oh, sure. A couple of decades ago I ported OpenBSD's telnet and telnetd
> to Linux for our distro, Owl. I no longer recalled all detail, but
> looking at my "Linux port" patch now, it appears to implement a strict
> allow-list approach already. There's a comment saying the "list comes
> from Linux NetKit telnetd, version 0.17", so maybe NetKit already used
> that approach too, and Linux distros got a regression by switching from
> NetKit to InetUtils? Or it could be that Red Hat used NetKit and Debian
> went with InetUtils. I see I'm also lightly sanitizing env var values
> (only for not containing '/' and being of sane length), which I doubt
> was in NetKit.
I'm now looking at telnet-0.17-85.el9.src.rpm from Rocky Linux 9. The
telnet server part of it is still based on NetKit 0.17, where the latest
ChangeLog entry is:
22-Jul-2000:
Bug fixes for environment processing from Olaf Kirch. Also fixes
privacy issue noticed by Steve Bellovin. Also fix a wrong
assert().
and the code is:
/* check that variable is safe to pass to login or shell */
#if 0 /* insecure version */
static int envvarok(char *varp) {
if (strncmp(varp, "LD_", strlen("LD_")) &&
strncmp(varp, "ELF_LD_", strlen("ELF_LD_")) &&
strncmp(varp, "AOUT_LD_", strlen("AOUT_LD_")) &&
strncmp(varp, "_RLD_", strlen("_RLD_")) &&
strcmp(varp, "LIBPATH") &&
strcmp(varp, "ENV") &&
strcmp(varp, "IFS"))
{
return 1;
}
else {
/* optionally syslog(LOG_INFO) here */
return 0;
}
}
#else
static int envvarok(char *varp) {
/*
* Allow only these variables.
*/
if (!strcmp(varp, "TERM")) return 1;
if (!strcmp(varp, "DISPLAY")) return 1;
if (!strcmp(varp, "USER")) return 1;
if (!strcmp(varp, "LOGNAME")) return 1;
if (!strcmp(varp, "POSIXLY_CORRECT")) return 1;
/* optionally syslog(LOG_INFO) here */
return 0;
}
In my patch against OpenBSD's it is:
+/* This list comes from Linux NetKit telnetd, version 0.17 */
+static char *goodenv_table[] = {
+ "TERM",
+ "DISPLAY",
+ "USER",
+ "LOGNAME",
+ "POSIXLY_CORRECT",
+ NULL
};
[...]
+envvarok(varp, valp)
+ char *varp, *valp;
{
[...]
+ for (i = 0; goodenv_table[i]; i++) {
+ if (strcmp(goodenv_table[i], varp))
+ continue;
+ if (strchr(valp, '/') || strlen(valp) >= 0x100) {
+ syslog(LOG_NOTICE, "Rejected attempt to set the "
+ "environment variable \"%s\" to an "
+ "invalid value", varp);
+ return (0);
+ }
+ return (1);
+ }
[...]
+ return (0);
So it looks like in the Linux world non-use of an allow list is specific
to InetUtils, which means primarily Debian and derived distros.
Alexander
