Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd

[Alexander Bochmann <ab () lists gxis de>]

...on 2026-01-20 15:00:07, Simon Josefsson wrote:

> Vulnerable versions: GNU InetUtils since version 1.9.3 up to and
> including version 2.7.

Looking at Debian, this gets even more hilarious... Their 
changelog for inetutils has:

> inetutils (2:1.9.4-7) unstable; urgency=medium
> [..]
>  * Take several patches from upstream git master:
> [..]
>    - 0028-telnetd-Scrub-USER-from-environment.patch
>
> [..] Sat, 16 Feb 2019 18:09:37 +0100

I have not yet spun up a Debian 9 to see if that version was 
released as an update, but it presumably would have been safe 
in this regard.

The next entry in their changelog is for Debian 10,

> inetutils (2:1.9.4-7+deb10u1) buster; urgency=medium
>
>  * CVE-2020-10188 (Closes: #956084)
>
> [..] Fri, 18 Sep 2020 20:06:42 +0200

That update fixed a remote code execution in telnetd and 
apparently reintroduced the environment bug yet another 
time (I tested that Debian 10 telnetd is vulnerable for 
this and later versions, and also subsequent Debian and 
Ubuntu releases)...

Alex.