head	1.2;
access;
symbols
	pkgsrc-2026Q1:1.2.0.2;
locks; strict;
comment	@ * @;


1.2
date	2026.04.30.05.44.15;	author wiz;	state dead;
branches
	1.2.2.1;
next	1.1;
commitid	yGOMRwhE6r64CWDG;

1.1
date	2026.04.19.19.15.38;	author vins;	state Exp;
branches;
next	;
commitid	64qzupKVh3bbsBCG;

1.2.2.1
date	2026.04.30.05.44.15;	author maya;	state dead;
branches;
next	1.2.2.2;
commitid	muFZKP5fwW0XZVEG;

1.2.2.2
date	2026.05.07.22.37.51;	author maya;	state Exp;
branches;
next	;
commitid	muFZKP5fwW0XZVEG;


desc
@@


1.2
log
@inetutils: update to 2.8.

# Noteworthy changes in release 2.8 (2026-04-29) [stable]

** telnetd no longer supports the --debug (-D) option.  Previously, it
would open a predictable file name at /tmp/telnet.debug, following it if
it were a symbolic link.  The data printed to it could also be
controlled by a client.  These behaviors could be combined to result in
a local privilege escalation.  Reported by Justin Swartz in
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00040.html>.
Guillem Jover also mentioned that another user can create the file
before telnetd does, keep the file open, and snoop on sessions which may
include credentials in
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00048.html>.

** telnet no longer leaks the value of unexported environment variables
to servers sending the NEW-ENVIRON SEND USERVAR command.
Reported by Justin Swartz in
<https://www.openwall.com/lists/oss-security/2026/03/13/1>.

** telnetd no longer allows clients to write past the end of a stack
allocated buffer, possibly leading to remote code execution, using an
SLC suboption with many triplets using function octets greater than 18.
CVE-2026-32746
Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
Daniel Lubel at DREAM Security Research Team in
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.

** telnetd now ignores all environment options by default.  Environment
variables passed by the new --accept-env option can bypass this
restriction.  This is necessary to avoid vulnerabilities similar to
CVE-2026-28372, since many different environment variables can be used
to escalate privileges.

** Fix telnetd remote authentication by-pass vulnerability.  CVE-2026-24061
Reported by Kyu Neushwaistein.  Initial patch by Paul Eggert; further
improvements and security advisory by Simon Josefsson.

** Prevent privilege escalation via telnetd abusing systemd service
credentials support added to the login(1) implementation of util-linux
in release 2.40.  CVE-2026-28372
Reported by Ron Ben Yizhak@@SafeBreach in
<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.

** telnet: Drop everything related to TN3270.
The code did not build (several missing required header files) and
even if we could fix it, we have no way to test it. It may contain
security vulnerabilities.

** inetd: Adds new --foreground parameter to avoid forking.
See <https://codeberg.org/inetutils/inetutils/pulls/10>, patch by
Guillem Jover.

** Paths uses $(runstatedir) instead of $(localstatedir)/run for PID files etc.
The intention is that this is a no-op for normal installations, and
the files should end up in the same paths because the default value
for $(runstatedor) is $(localstatedir)/run.

** Some compiler warnings are now enabled by default.
Disable with --enable-gcc-warnings=no.  Based on the Gnulib
manywarnings module, see
<https://www.gnu.org/software/gnulib/manual/html_node/manywarnings.html>.

** configure.ac avoid implicit declaration of tcpd.h hosts_ctl.
Patch and report by Mike Gilbert <floppym@@gentoo.org> in
<https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00026.html>.

** tests: Improve libls test that doesn't work reliably across file systems.
See <https://codeberg.org/inetutils/inetutils/pulls/9>.

** Older ChangeLog.? files not included in release tarball.
They are still available in the git history.  Saves around 0.7MB
uncompressed in the release tarball.  Compare GNU CoreUtils
https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/NEWS?id=4e112e90b11b70bd6dc5b441f820803fc2aadd69.
@
text
@$NetBSD: patch-telnetd_utility.c,v 1.1 2026/04/19 19:15:38 vins Exp $

Sanitize the USER environment variable before passing it to login(1).
Fixes CVE-2026-24061. Reference:
https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

--- telnetd/utility.c.orig	2025-12-14 15:12:20.000000000 +0000
+++ telnetd/utility.c
@@@@ -1684,6 +1684,17 @@@@ static void _expand_cond (struct line_ex
 static void _skip_block (struct line_expander *exp);
 static void _expand_block (struct line_expander *exp);
 
+static char *
+sanitize (const char *u)
+{
+  /* Ignore values starting with '-' or containing shell metachars, as
+     they can cause trouble.  */
+  if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
+    return u;
+  else
+    return "";
+}
+
 /* Expand a variable referenced by its short one-symbol name.
    Input: exp->cp points to the variable name.
    FIXME: not implemented */
@@@@ -1710,13 +1721,13 @@@@ _var_short_name (struct line_expander *e
       return xstrdup (timebuf);
 
     case 'h':
-      return xstrdup (remote_hostname);
+      return xstrdup (sanitize (remote_hostname));
 
     case 'l':
-      return xstrdup (local_hostname);
+      return xstrdup (sanitize (local_hostname));
 
     case 'L':
-      return xstrdup (line);
+      return xstrdup (sanitize (line));
 
     case 't':
       q = strchr (line + 1, '/');
@@@@ -1733,7 +1744,7 @@@@ _var_short_name (struct line_expander *e
       return user_name ? xstrdup (user_name) : NULL;
 
     case 'U':
-      return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
+      return user_name ? xstrdup (sanitize (user_name)) : NULL;
 
     default:
       exp->state = EXP_STATE_ERROR;
@


1.2.2.1
log
@file patch-telnetd_utility.c was added on branch pkgsrc-2026Q1 on 2026-05-07 22:37:51 +0000
@
text
@d1 52
@


1.2.2.2
log
@Pullup ticket #7097 - requested by taca
net/inetutils: Security fix

Revisions pulled up:
- net/inetutils/Makefile                                        1.12-1.13
- net/inetutils/distinfo                                        1.8-1.9
- net/inetutils/patches/patch-telnetd_utility.c                 deleted

---
   Module Name:	pkgsrc
   Committed By:	vins
   Date:		Sun Apr 19 19:15:38 UTC 2026

   Modified Files:
   	pkgsrc/net/inetutils: Makefile distinfo
   Added Files:
   	pkgsrc/net/inetutils/patches: patch-telnetd_utility.c

   Log Message:
   net/inetutils: patch against CVE-2026-24061

   Bump revision.

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Thu Apr 30 05:44:15 UTC 2026

   Modified Files:
   	pkgsrc/net/inetutils: Makefile distinfo
   Removed Files:
   	pkgsrc/net/inetutils/patches: patch-telnetd_utility.c

   Log Message:
   inetutils: update to 2.8.

   # Noteworthy changes in release 2.8 (2026-04-29) [stable]

   ** telnetd no longer supports the --debug (-D) option.  Previously, it
   would open a predictable file name at /tmp/telnet.debug, following it if
   it were a symbolic link.  The data printed to it could also be
   controlled by a client.  These behaviors could be combined to result in
   a local privilege escalation.  Reported by Justin Swartz in
   <https://lists.gnu.org/r/bug-inetutils/2026-03/msg00040.html>.
   Guillem Jover also mentioned that another user can create the file
   before telnetd does, keep the file open, and snoop on sessions which may
   include credentials in
   <https://lists.gnu.org/r/bug-inetutils/2026-03/msg00048.html>.

   ** telnet no longer leaks the value of unexported environment variables
   to servers sending the NEW-ENVIRON SEND USERVAR command.
   Reported by Justin Swartz in
   <https://www.openwall.com/lists/oss-security/2026/03/13/1>.

   ** telnetd no longer allows clients to write past the end of a stack
   allocated buffer, possibly leading to remote code execution, using an
   SLC suboption with many triplets using function octets greater than 18.
   CVE-2026-32746
   Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
   Daniel Lubel at DREAM Security Research Team in
   <https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.

   ** telnetd now ignores all environment options by default.  Environment
   variables passed by the new --accept-env option can bypass this
   restriction.  This is necessary to avoid vulnerabilities similar to
   CVE-2026-28372, since many different environment variables can be used
   to escalate privileges.

   ** Fix telnetd remote authentication by-pass vulnerability.  CVE-2026-24061
   Reported by Kyu Neushwaistein.  Initial patch by Paul Eggert; further
   improvements and security advisory by Simon Josefsson.

   ** Prevent privilege escalation via telnetd abusing systemd service
   credentials support added to the login(1) implementation of util-linux
   in release 2.40.  CVE-2026-28372
   Reported by Ron Ben Yizhak@@SafeBreach in
   <https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.

   ** telnet: Drop everything related to TN3270.
   The code did not build (several missing required header files) and
   even if we could fix it, we have no way to test it. It may contain
   security vulnerabilities.

   ** inetd: Adds new --foreground parameter to avoid forking.
   See <https://codeberg.org/inetutils/inetutils/pulls/10>, patch by
   Guillem Jover.

   ** Paths uses $(runstatedir) instead of $(localstatedir)/run for PID files etc.
   The intention is that this is a no-op for normal installations, and
   the files should end up in the same paths because the default value
   for $(runstatedor) is $(localstatedir)/run.

   ** Some compiler warnings are now enabled by default.
   Disable with --enable-gcc-warnings=no.  Based on the Gnulib
   manywarnings module, see
   <https://www.gnu.org/software/gnulib/manual/html_node/manywarnings.html>.

   ** configure.ac avoid implicit declaration of tcpd.h hosts_ctl.
   Patch and report by Mike Gilbert <floppym@@gentoo.org> in
   <https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00026.html>.

   ** tests: Improve libls test that doesn't work reliably across file systems.
   See <https://codeberg.org/inetutils/inetutils/pulls/9>.

   ** Older ChangeLog.? files not included in release tarball.
   They are still available in the git history.  Saves around 0.7MB
   uncompressed in the release tarball.  Compare GNU CoreUtils
   https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/NEWS?id=4e112e90b11b70bd6dc5b441f820803fc2aadd69.
@
text
@a0 52
$NetBSD: patch-telnetd_utility.c,v 1.1 2026/04/19 19:15:38 vins Exp $

Sanitize the USER environment variable before passing it to login(1).
Fixes CVE-2026-24061. Reference:
https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

--- telnetd/utility.c.orig	2025-12-14 15:12:20.000000000 +0000
+++ telnetd/utility.c
@@@@ -1684,6 +1684,17 @@@@ static void _expand_cond (struct line_ex
 static void _skip_block (struct line_expander *exp);
 static void _expand_block (struct line_expander *exp);
 
+static char *
+sanitize (const char *u)
+{
+  /* Ignore values starting with '-' or containing shell metachars, as
+     they can cause trouble.  */
+  if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
+    return u;
+  else
+    return "";
+}
+
 /* Expand a variable referenced by its short one-symbol name.
    Input: exp->cp points to the variable name.
    FIXME: not implemented */
@@@@ -1710,13 +1721,13 @@@@ _var_short_name (struct line_expander *e
       return xstrdup (timebuf);
 
     case 'h':
-      return xstrdup (remote_hostname);
+      return xstrdup (sanitize (remote_hostname));
 
     case 'l':
-      return xstrdup (local_hostname);
+      return xstrdup (sanitize (local_hostname));
 
     case 'L':
-      return xstrdup (line);
+      return xstrdup (sanitize (line));
 
     case 't':
       q = strchr (line + 1, '/');
@@@@ -1733,7 +1744,7 @@@@ _var_short_name (struct line_expander *e
       return user_name ? xstrdup (user_name) : NULL;
 
     case 'U':
-      return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
+      return user_name ? xstrdup (sanitize (user_name)) : NULL;
 
     default:
       exp->state = EXP_STATE_ERROR;
@


1.1
log
@net/inetutils: patch against CVE-2026-24061

Bump revision.
@
text
@d1 1
a1 1
$NetBSD$
@