oss-sec mailing list archives

Re: CVE-2026-28372: Telnetd Vulnerability Report

From: Solar Designer <solar () openwall com>
Date: Fri, 6 Mar 2026 16:16:49 +0100

Hi Guillem and Salvatore,

On Fri, Feb 27, 2026 at 01:09:57PM +0100, Guillem Jover wrote:

On Tue, 2026-02-24 at 11:57:34 +0200, Ron Ben Yizhak wrote:

I’d like to ensure we follow the standard CVE process here. Standard
practice dictates that a CVE is issued per individual fix. Generally, once
a fix is merged and released, it is assigned its own CVE. Even if that fix
is later bypassed, the original merge stands as a unique event in the
codebase, meaning we should issue two separate CVEs rather than grouping
them.


Salvatore Bonaccorso from the Debian Security Team got a CVE assigned
for this, see <https://www.cve.org/CVERecord?id=CVE-2026-28372>. I'll
update the Debian packaging on the next upload to point to that.


The CVE description says:

"telnetd in GNU inetutils through 2.7 allows privilege escalation that
can be exploited by abusing systemd service credentials support added to
the login(1) implementation of util-linux in release 2.40. This is
related to client control over the CREDENTIALS_DIRECTORY environment
variable, and requires an unprivileged local user to create a
login.noauth file."

So is this CVE only for the attack vector reported by Ron Ben Yizhak,
and not also for the other attack vector and more general issue reported
by Justin Swartz?

If so, are you going to assign a second CVE for the more general issue?

I am not convinced "the standard CVE process" is exactly as Ron Ben
Yizhak describes it above, but I don't mind doing things in this way.

It sometimes happens that a fix is released as being for a certain CVE,
and then a second CVE has to be assigned for the "incomplete fix", where
the incompleteness of the first fix is the new vulnerability.  But with
no CVE assigned yet, we didn't have to do it this way.  We could have
one CVE for the set of issues, and not treat "the original merge" as
fixing any CVE at all.

But again, I don't mind, and I understand that we also need to enable
researchers to find and report such issues during work hours, which
means making employers happy with credits and CVEs.  It isn't wrong to
have separate CVEs, so we may.

Just need to clarify.

Alexander

Current thread:

Re: Telnetd Vulnerability Report Justin Swartz (Feb 23)
- Re: Telnetd Vulnerability Report Solar Designer (Feb 23)
  - Re: Telnetd Vulnerability Report Solar Designer (Feb 23)
- Re: Telnetd Vulnerability Report Ron Ben Yizhak (Feb 24)
  - CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover (Feb 27)
    - Re: CVE-2026-28372: Telnetd Vulnerability Report Solar Designer (Mar 06)
    - Re: CVE-2026-28372: Telnetd Vulnerability Report Guillem Jover (Mar 06)
- Message not available
  - Re: Re: Telnetd Vulnerability Report kf503bla (Feb 24)
    - Re: Telnetd Vulnerability Report Solar Designer (Feb 24)
    - Re: Telnetd Vulnerability Report Lyndon Nerenberg (VE7TFX/VE6BBM) (Feb 24)
    - Re: Telnetd Vulnerability Report Vincent Lefevre (Feb 24)
    - Message not available
    - Re: Telnetd Vulnerability Report kf503bla (Feb 25)
    - Re: Telnetd Vulnerability Report Solar Designer (Feb 25)
    - Re: Telnetd Vulnerability Report Steffen Nurpmeso (Feb 25)
    - Re: Telnetd Vulnerability Report Marco Moock (Feb 25)
    - Re: Telnetd Vulnerability Report Steffen Nurpmeso (Feb 25)

(Thread continues...)