oss-sec mailing list archives
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
From: Demi Marie Obenour <demiobenour () gmail com>
Date: Thu, 22 Jan 2026 18:25:36 -0500
On 1/20/26 09:00, Simon Josefsson wrote:
We chose to sanitize all variables for expansion. The following two patches are what we suggest: https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
If a variable expands to an empty value, will the subsequent code remove the command-line argument entirely, rather than passing an empty string? Or should an empty string be treated as an error? Also, would an allowlist be better than a denylist? -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Current thread:
- GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Simon Josefsson (Jan 20)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann (Jan 20)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Jakub Wilk (Jan 21)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Christian Fischer (Jan 22)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Demi Marie Obenour (Jan 22)
- <Possible follow-ups>
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Paul Ducklin (Jan 28)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann (Jan 20)