--- /dev/null
+From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001
+From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Date: Sun, 15 Feb 2026 15:38:50 +0100
+Subject: [PATCH] telnetd: don't allow systemd service credentials
+
+The login(1) implementation of util-linux added support for
+systemd service credentials in release 2.40. This allows to
+bypass authentication by specifying a directory name in the
+environment variable CREDENTIALS_DIRECTORY. If this directory
+contains a file named 'login.noauth' with the content of 'yes',
+login(1) skips authentication.
+
+GNU Inetutils telnetd supports to set arbitrary environment
+variables using the 'Environment' and 'New Environment'
+Telnet options. This allows specifying a directory containing
+'login.noauth'. A local user can create such a directory
+and file, and, e.g., specify the user name 'root' to escalate
+privileges.
+
+This problem was reported by Ron Ben Yizhak in
+<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
+
+This commit clears CREDENTIALS_DIRECTORY from the environment
+before executing login(1) to implement a simple fix that can
+be backported easily.
+
+* NEWS.md: Mention fix.
+* THANKS: Mention Ron Ben Yizhak.
+* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment
+before executing 'login'.
+
+CVE: CVE-2026-28372
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ NEWS | 5 +++++
+ THANKS | 1 +
+ telnetd/pty.c | 8 ++++++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 877ca53b..f5172a71 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,10 @@
+ GNU inetutils NEWS -- history of user-visible changes.
+
++** Prevent privilege escalation via telnetd abusing systemd service
++credentials support added to the login(1) implementation of util-linux
++in release 2.40. Reported by Ron Ben Yizhak in
++<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
++
+ # Noteworthy changes in release 2.7 (2025-12-14) [stable]
+
+ ** Systems without asprintf are now supported through the use of gnulib.
+diff --git a/THANKS b/THANKS
+index 8d1d3dbb..ef5f6063 100644
+--- a/THANKS
++++ b/THANKS
+@@ -9,6 +9,7 @@ In particular:
+ NIIBE Yutaka (Security fixes & making talk finally work)
+ Nathan Neulinger (tftpd)
+ Thomas Bushnell (sockaddr sin_len field)
++ Ron Ben Yizhak (reported privilege escalation via telnetd)
+
+ Please see version control logs and ChangeLog.? for full credits.
+
+diff --git a/telnetd/pty.c b/telnetd/pty.c
+index c727e7be..f3518049 100644
+--- a/telnetd/pty.c
++++ b/telnetd/pty.c
+@@ -129,6 +129,14 @@ start_login (char *host, int autologin, char *name)
+ if (!cmd)
+ fatal (net, "can't expand login command line");
+ argcv_get (cmd, "", &argc, &argv);
++
++ /* util-linux's "login" introduced an authentication bypass method
++ * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40.
++ * Clear it from the environment before executing "login" to prevent
++ * abuse via Telnet.
++ */
++ unsetenv ("CREDENTIALS_DIRECTORY");
++
+ execv (argv[0], argv);
+ syslog (LOG_ERR, "%s: %m\n", cmd);
+ fatalperror (net, cmd);
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
