Re: Moving telnet/telnetd from base to pkgsrc

[Taylor R Campbell <campbell+netbsd-tech-userlevel%mumble.net@localhost>]

> Date: Sat, 15 Dec 2018 22:38:10 +0100
> From: Anders Magnusson <ragge%ludd.ltu.se@localhost>
> 
> I'm pretty sure that all users of telnet know what the implications 
> are.  If they don't then it doesn't matter whether it is in base or not.

One of the implications at the moment is that anyone on the internet
between you and the remote host can crash your telnet client[*] with
no user interaction beyond making a connection.

This is _not_ the traditional and by now well-understood security
problem of telnet that it has no secrecy or authentication.  And
cursory examination of the telnet code -- together with its origins in
an era when the internet was a safe place -- does the opposite of
inspiring confidence that this hole is isolated.

Given that a large fraction of respondents (though not all) indicated
that their primary use of telnet is to test reachability of a server
or manually enter SMTP or HTTP requests over the internet -- a use
which is adequately served by the much smaller and much more
confidence-inspiring usr.bin/nc -- I think this _does_ constitute a
serious danger that warrants the scrutiny it is getting.


[*] Whether it can lead to arbitrary code execution, I don't know, and
    I'm not interested in studying further to find out; it doesn't
    take much to get arbitrary code execution, like a single null byte
    heap buffer overflow:
    https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html