From b250e5637392e85fa38c78bde38f254b92e46990 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Guzm=C3=A1n?= Date: Mon, 26 Jan 2026 21:05:58 -0600 Subject: [PATCH] inetutils: add patches for known security issues. --- ..._injection_bug_with_bogus_user_names.patch | 34 ++++++++ ...etd_sanitize_all_variable_expansions.patch | 78 +++++++++++++++++++ helpers/make-inetutils | 32 ++++++++ 3 files changed, 144 insertions(+) create mode 100644 helpers/DATA/inetutils/patch_changes/000-fix_injection_bug_with_bogus_user_names.patch create mode 100644 helpers/DATA/inetutils/patch_changes/001-telnetd_sanitize_all_variable_expansions.patch create mode 100644 helpers/make-inetutils diff --git a/helpers/DATA/inetutils/patch_changes/000-fix_injection_bug_with_bogus_user_names.patch b/helpers/DATA/inetutils/patch_changes/000-fix_injection_bug_with_bogus_user_names.patch new file mode 100644 index 0000000..344d9ab --- /dev/null +++ b/helpers/DATA/inetutils/patch_changes/000-fix_injection_bug_with_bogus_user_names.patch @@ -0,0 +1,34 @@ +From fd702c02497b2f398e739e3119bed0b23dd7aa7b Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Tue, 20 Jan 2026 01:10:36 -0800 +Subject: [PATCH] Fix injection bug with bogus user names + +Problem reported by Kyu Neushwaistein. +* telnetd/utility.c (_var_short_name): +Ignore user names that start with '-' or contain shell metacharacters. + +Signed-off-by: Simon Josefsson +--- + telnetd/utility.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/telnetd/utility.c b/telnetd/utility.c +index b486226e..c02cd0e6 100644 +--- a/telnetd/utility.c ++++ b/telnetd/utility.c +@@ -1733,7 +1733,14 @@ _var_short_name (struct line_expander *exp) + return user_name ? xstrdup (user_name) : NULL; + + case 'U': +- return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup (""); ++ { ++ /* Ignore user names starting with '-' or containing shell ++ metachars, as they can cause trouble. */ ++ char const *u = getenv ("USER"); ++ return xstrdup ((u && *u != '-' ++ && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")]) ++ ? u : ""); ++ } + + default: + exp->state = EXP_STATE_ERROR; diff --git a/helpers/DATA/inetutils/patch_changes/001-telnetd_sanitize_all_variable_expansions.patch b/helpers/DATA/inetutils/patch_changes/001-telnetd_sanitize_all_variable_expansions.patch new file mode 100644 index 0000000..8b4653c --- /dev/null +++ b/helpers/DATA/inetutils/patch_changes/001-telnetd_sanitize_all_variable_expansions.patch @@ -0,0 +1,78 @@ +From ccba9f748aa8d50a38d7748e2e60362edd6a32cc Mon Sep 17 00:00:00 2001 +From: Simon Josefsson +Date: Tue, 20 Jan 2026 14:02:39 +0100 +Subject: [PATCH] telnetd: Sanitize all variable expansions + +* telnetd/utility.c (sanitize): New function. +(_var_short_name): Use it for all variables. +--- + telnetd/utility.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/telnetd/utility.c b/telnetd/utility.c +index c02cd0e6..b21ad961 100644 +--- a/telnetd/utility.c ++++ b/telnetd/utility.c +@@ -1684,6 +1684,17 @@ static void _expand_cond (struct line_expander *exp); + static void _skip_block (struct line_expander *exp); + static void _expand_block (struct line_expander *exp); + ++static char * ++sanitize (const char *u) ++{ ++ /* Ignore values starting with '-' or containing shell metachars, as ++ they can cause trouble. */ ++ if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")]) ++ return u; ++ else ++ return ""; ++} ++ + /* Expand a variable referenced by its short one-symbol name. + Input: exp->cp points to the variable name. + FIXME: not implemented */ +@@ -1710,13 +1721,13 @@ _var_short_name (struct line_expander *exp) + return xstrdup (timebuf); + + case 'h': +- return xstrdup (remote_hostname); ++ return xstrdup (sanitize (remote_hostname)); + + case 'l': +- return xstrdup (local_hostname); ++ return xstrdup (sanitize (local_hostname)); + + case 'L': +- return xstrdup (line); ++ return xstrdup (sanitize (line)); + + case 't': + q = strchr (line + 1, '/'); +@@ -1724,23 +1735,16 @@ _var_short_name (struct line_expander *exp) + q++; + else + q = line; +- return xstrdup (q); ++ return xstrdup (sanitize (q)); + + case 'T': +- return terminaltype ? xstrdup (terminaltype) : NULL; ++ return terminaltype ? xstrdup (sanitize (terminaltype)) : NULL; + + case 'u': +- return user_name ? xstrdup (user_name) : NULL; ++ return user_name ? xstrdup (sanitize (user_name)) : NULL; + + case 'U': +- { +- /* Ignore user names starting with '-' or containing shell +- metachars, as they can cause trouble. */ +- char const *u = getenv ("USER"); +- return xstrdup ((u && *u != '-' +- && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")]) +- ? u : ""); +- } ++ return xstrdup (sanitize (getenv ("USER"))); + + default: + exp->state = EXP_STATE_ERROR; diff --git a/helpers/make-inetutils b/helpers/make-inetutils new file mode 100644 index 0000000..f21bbe4 --- /dev/null +++ b/helpers/make-inetutils @@ -0,0 +1,32 @@ +#!/bin/sh +# +# Copyright (C) 2026 Luis Guzmán +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +# + +VERSION=0 + +. ./config + +# WARNING: telnetd is not recommended in 2026, especially in production. +# Applying these patches is a proactive mitigation effort for known issues and does not +# endorse continued use of telnetd. The patch co-author recommends deprecating it. + +apply_patch_changes + +changelog "Apply security patches to mitigate known issues proactively; telnetd is not recommended: avoid in production." + +package