Re: bin/60081: telnet(1) leaks environment variables to remote host

["Thomas Klausner via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR bin/60081; it has been noted by GNATS.

From: Thomas Klausner <wiz%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/60081: telnet(1) leaks environment variables to remote host
Date: Sat, 14 Mar 2026 21:27:46 +0100

 --ps2sejysptawy7ir
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 I think this was handled already, see attached commit message.
  Thomas
 
 --ps2sejysptawy7ir
 Content-Type: message/rfc822
 Content-Disposition: inline
 
 Return-Path: <bounces-source-changes-full-owner-wiz=NetBSD.org%NetBSD.org@localhost>
 Delivered-To: wiz%gatalith.at@localhost
 Received: from gatalith.at
 	by gatalith.at with LMTP
 	id 5vogDlhotGnmSAAA4iLUCg
 	(envelope-from <bounces-source-changes-full-owner-wiz=NetBSD.org%NetBSD.org@localhost>)
 	for <wiz%gatalith.at@localhost>; Fri, 13 Mar 2026 20:41:12 +0100
 Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
 	by gatalith.at (Postfix) with ESMTPS id 6DD6C3908B3
 	for <wiz%gatalith.at@localhost>; Fri, 13 Mar 2026 20:41:10 +0100 (CET)
 Received: by mail.netbsd.org (Postfix)
 	id CEDDD85814; Fri, 13 Mar 2026 19:41:05 +0000 (UTC)
 Delivered-To: wiz%netbsd.org@localhost
 Received: by mail.netbsd.org (Postfix, from userid 605)
 	id 79E838580D; Fri, 13 Mar 2026 19:41:05 +0000 (UTC)
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
 	s=20240131; t=1773430865;
 	bh=xWquhkou7MMJCv2WBR9EapcVWKirfD19MQ2Ci3W39qQ=;
 	h=Date:From:Subject:To:List-Id:Reply-To:List-Unsubscribe;
 	b=isv/4x5I6yFQ9DMk8IdkwxNLBnvosuSp45lPnNlwbWiPRdqjkOtWucL24aOUs5osX
 	 H2fKaA+4cSIZl8rrE5x+K6D4hdhe/+iovavnPar1eY2/VPxJgevyhzTjbK4ajY+oba
 	 gVF+MywGk9Rn2m/bsSfw1b4dRugw4LrNcFUg1jrQ=
 Delivered-To: source-changes-full%NetBSD.org@localhost
 Received: from localhost (localhost [127.0.0.1])
 	by mail.netbsd.org (Postfix) with ESMTP id E8F5C84DAE
 	for <source-changes-full%NetBSD.org@localhost>; Fri, 13 Mar 2026 19:41:03 +0000 (UTC)
 X-Virus-Scanned: amavisd-new at netbsd.org
 Authentication-Results: mail.netbsd.org (amavisd-new);
 	dkim=pass (1024-bit key) header.d=netbsd.org
 Received: from mail.netbsd.org ([IPv6:::1])
 	by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025)
 	with ESMTP id BwWp7e8uNA7Z for <source-changes-full%netbsd.org@localhost>;
 	Fri, 13 Mar 2026 19:41:03 +0000 (UTC)
 Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
 	by mail.netbsd.org (Postfix) with ESMTP id 07CC984DE8
 	for <source-changes-full%NetBSD.org@localhost>; Fri, 13 Mar 2026 19:41:03 +0000 (UTC)
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
 	s=20240131; t=1773430863;
 	bh=xWquhkou7MMJCv2WBR9EapcVWKirfD19MQ2Ci3W39qQ=;
 	h=Date:From:Subject:To:Reply-To;
 	b=G9MUrtU8tDvkxHWHO0vY6oHWDxpbGW9M6Yloc7nftTfkfsdapwFtvarc3NuEy9+eU
 	 Pc83fqQIgNRFKE01QWmgQ/SWUN8ulp4Xonfwj30PPRzFwyx4PMf2bbjax2UPo02vAn
 	 T3Mpi5SdtLXNPMwA2e0F6qxEUe8CR9UBT3qNnKfA=
 Received: by cvs.NetBSD.org (Postfix, from userid 500)
 	id E3F3EF983; Fri, 13 Mar 2026 19:41:02 +0000 (UTC)
 Content-Transfer-Encoding: 7bit
 Content-Type: multipart/mixed; boundary="_----------=_1773430862223230"
 MIME-Version: 1.0
 Date: Fri, 13 Mar 2026 15:41:02 -0400
 From: "Christos Zoulas" <christos%netbsd.org@localhost>
 Subject: CVS commit: src/usr.bin/telnet
 To: source-changes-full%NetBSD.org@localhost
 X-Mailer: log_accum
 Message-Id: <20260313194102.E3F3EF983%cvs.NetBSD.org@localhost>
 Sender: source-changes-full-owner%NetBSD.org@localhost
 List-Id: <source-changes-full.NetBSD.org>
 Precedence: bulk
 Reply-To: source-changes-d%NetBSD.org@localhost
 Mail-Reply-To: "Christos Zoulas" <christos%netbsd.org@localhost>
 Mail-Followup-To: source-changes-d%NetBSD.org@localhost
 List-Unsubscribe: <mailto:majordomo%NetBSD.org@localhost?subject=Unsubscribe%20source-changes-full&body=unsubscribe%20source-changes-full>
 
 This is a multi-part message in MIME format.
 
 --_----------=_1773430862223230
 Content-Disposition: inline
 Content-Transfer-Encoding: 8bit
 Content-Type: text/plain; charset="US-ASCII"
 
 Module Name:	src
 Committed By:	christos
 Date:		Fri Mar 13 19:41:02 UTC 2026
 
 Modified Files:
 	src/usr.bin/telnet: authenc.c commands.c externs.h telnet.c
 
 Log Message:
 Only send exported variables (from OpenBSD):
 https://www.openwall.com/lists/oss-security/2026/03/13/1
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.14 -r1.15 src/usr.bin/telnet/authenc.c
 cvs rdiff -u -r1.80 -r1.81 src/usr.bin/telnet/commands.c
 cvs rdiff -u -r1.44 -r1.45 src/usr.bin/telnet/externs.h \
     src/usr.bin/telnet/telnet.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.
 
 
 --_----------=_1773430862223230
 Content-Disposition: inline
 Content-Length: 4828
 Content-Transfer-Encoding: binary
 Content-Type: text/x-diff; charset=us-ascii
 
 Modified files:
 
 Index: src/usr.bin/telnet/authenc.c
 diff -u src/usr.bin/telnet/authenc.c:1.14 src/usr.bin/telnet/authenc.c:1.15
 --- src/usr.bin/telnet/authenc.c:1.14	Fri Dec 14 18:40:17 2018
 +++ src/usr.bin/telnet/authenc.c	Fri Mar 13 15:41:02 2026
 @@ -1,4 +1,4 @@
 -/*	$NetBSD: authenc.c,v 1.14 2018/12/14 23:40:17 christos Exp $	*/
 +/*	$NetBSD: authenc.c,v 1.15 2026/03/13 19:41:02 christos Exp $	*/
  
  /*-
   * Copyright (c) 1991, 1993
 @@ -34,7 +34,7 @@
  #if 0
  static char sccsid[] = "@(#)authenc.c	8.1 (Berkeley) 6/6/93";
  #else
 -__RCSID("$NetBSD: authenc.c,v 1.14 2018/12/14 23:40:17 christos Exp $");
 +__RCSID("$NetBSD: authenc.c,v 1.15 2026/03/13 19:41:02 christos Exp $");
  #endif
  #endif /* not lint */
  
 @@ -85,7 +85,7 @@ telnet_spin(void)
  char *
  telnet_getenv(char *val)
  {
 -	return env_getvalue(val);
 +	return env_getvalue(val, 0);
  }
  
  char *
 
 Index: src/usr.bin/telnet/commands.c
 diff -u src/usr.bin/telnet/commands.c:1.80 src/usr.bin/telnet/commands.c:1.81
 --- src/usr.bin/telnet/commands.c:1.80	Fri Jul  8 17:51:24 2022
 +++ src/usr.bin/telnet/commands.c	Fri Mar 13 15:41:02 2026
 @@ -1,4 +1,4 @@
 -/*	$NetBSD: commands.c,v 1.80 2022/07/08 21:51:24 mlelstv Exp $	*/
 +/*	$NetBSD: commands.c,v 1.81 2026/03/13 19:41:02 christos Exp $	*/
  
  /*
   * Copyright (C) 1997 and 1998 WIDE Project.
 @@ -63,7 +63,7 @@
  #if 0
  static char sccsid[] = "@(#)commands.c	8.4 (Berkeley) 5/30/95";
  #else
 -__RCSID("$NetBSD: commands.c,v 1.80 2022/07/08 21:51:24 mlelstv Exp $");
 +__RCSID("$NetBSD: commands.c,v 1.81 2026/03/13 19:41:02 christos Exp $");
  #endif
  #endif /* not lint */
  
 @@ -1791,11 +1791,11 @@ env_default(int init, int welldefined)
  }
  
  char *
 -env_getvalue(const char *var)
 +env_getvalue(const char *var, int exported)
  {
  	struct env_lst *ep;
  
 -	if ((ep = env_find(var)) != NULL)
 +	if ((ep = env_find(var)) != NULL && (exported || ep->export))
  		return ep->value;
  	return NULL;
  }
 
 Index: src/usr.bin/telnet/externs.h
 diff -u src/usr.bin/telnet/externs.h:1.44 src/usr.bin/telnet/externs.h:1.45
 --- src/usr.bin/telnet/externs.h:1.44	Fri Dec 14 18:40:17 2018
 +++ src/usr.bin/telnet/externs.h	Fri Mar 13 15:41:02 2026
 @@ -1,4 +1,4 @@
 -/*	$NetBSD: externs.h,v 1.44 2018/12/14 23:40:17 christos Exp $	*/
 +/*	$NetBSD: externs.h,v 1.45 2026/03/13 19:41:02 christos Exp $	*/
  
  /*
   * Copyright (c) 1988, 1990, 1993
 @@ -216,7 +216,7 @@ struct env_lst *env_unexport(const char 
  struct env_lst *env_send(const char *, char *);
  struct env_lst *env_list(const char *, char *);
  char *env_default(int, int );
 -char *env_getvalue(const char *);
 +char *env_getvalue(const char *, int);
  void env_varval(const char *);
  int auth_cmd(int, char *[]);
  int ayt_status(void);
 Index: src/usr.bin/telnet/telnet.c
 diff -u src/usr.bin/telnet/telnet.c:1.44 src/usr.bin/telnet/telnet.c:1.45
 --- src/usr.bin/telnet/telnet.c:1.44	Sat Oct 30 09:43:40 2021
 +++ src/usr.bin/telnet/telnet.c	Fri Mar 13 15:41:02 2026
 @@ -1,4 +1,4 @@
 -/*	$NetBSD: telnet.c,v 1.44 2021/10/30 13:43:40 hannken Exp $	*/
 +/*	$NetBSD: telnet.c,v 1.45 2026/03/13 19:41:02 christos Exp $	*/
  
  /*
   * Copyright (c) 1988, 1990, 1993
 @@ -34,7 +34,7 @@
  #if 0
  static char sccsid[] = "@(#)telnet.c	8.4 (Berkeley) 5/30/95";
  #else
 -__RCSID("$NetBSD: telnet.c,v 1.44 2021/10/30 13:43:40 hannken Exp $");
 +__RCSID("$NetBSD: telnet.c,v 1.45 2026/03/13 19:41:02 christos Exp $");
  #endif
  #endif /* not lint */
  
 @@ -468,7 +468,7 @@ dooption(int option)
  #endif
  
  	    case TELOPT_XDISPLOC:	/* X Display location */
 -		if (env_getvalue((const unsigned char *)"DISPLAY"))
 +		if (env_getvalue("DISPLAY", 0))
  		    new_state_ok = 1;
  		break;
  
 @@ -731,7 +731,7 @@ gettermname(void)
  		resettermname = 0;
  		if (tnamep && tnamep != unknown)
  			free(tnamep);
 -		if ((tname = (char *)env_getvalue((const unsigned char *)"TERM")) &&
 +		if ((tname = env_getvalue("TERM", 0)) &&
  				(setupterm(tname, 1, &err) == 0)) {
  			tnamep = mklist(termbuf, tname);
  		} else {
 @@ -898,7 +898,7 @@ suboption(void)
  	    unsigned char temp[50], *dp;
  	    int len;
  
 -	    if ((dp = env_getvalue((const unsigned char *)"DISPLAY")) == NULL) {
 +	    if ((dp = env_getvalue("DISPLAY", 0)) == NULL) {
  		/*
  		 * Something happened, we no longer have a DISPLAY
  		 * variable.  So, turn off the option.
 @@ -1513,7 +1513,7 @@ env_opt_add(unsigned char *ep)
  			env_opt_add(ep);
  		return;
  	}
 -	vp = env_getvalue(ep);
 +	vp = env_getvalue(ep, 1);
  	elen = 2 * (vp ? strlen((char *)vp) : 0) +
  		2 * strlen((char *)ep) + 6;
  	if ((unsigned int)(opt_replyend - opt_replyp) < elen)
 @@ -2074,7 +2074,7 @@ telnet(const char *user)
  	send_will(TELOPT_LINEMODE, 1);
  	send_will(TELOPT_NEW_ENVIRON, 1);
  	send_do(TELOPT_STATUS, 1);
 -	if (env_getvalue((const unsigned char *)"DISPLAY"))
 +	if (env_getvalue("DISPLAY", 0))
  	    send_will(TELOPT_XDISPLOC, 1);
  	if (eight)
  	    tel_enter_binary(eight);
 
 
 --_----------=_1773430862223230--
 
 
 --ps2sejysptawy7ir--