Re: Moving telnet/telnetd from base to pkgsrc

[Marc Balmer <mhbalmer%gmail.com@localhost>]

Am 15.12.2018 um 23:08 schrieb Taylor R Campbell <campbell+netbsd-tech-userlevel%mumble.net@localhost>:

>> Date: Sat, 15 Dec 2018 22:38:10 +0100
>> From: Anders Magnusson <ragge%ludd.ltu.se@localhost>
>> 
>> I'm pretty sure that all users of telnet know what the implications 
>> are.  If they don't then it doesn't matter whether it is in base or not.
> 
> One of the implications at the moment is that anyone on the internet
> between you and the remote host can crash your telnet client[*] with
> no user interaction beyond making a connection.

Block http/https and Javascript if you want security on the internet...

> 
> This is _not_ the traditional and by now well-understood security
> problem of telnet that it has no secrecy or authentication.  And
> cursory examination of the telnet code -- together with its origins in
> an era when the internet was a safe place -- does the opposite of
> inspiring confidence that this hole is isolated.

The internet was never a safe place and nobody ever claimed it was.  It was insecure from the beginning, by design.

> 
> Given that a large fraction of respondents (though not all) indicated
> that their primary use of telnet is to test reachability of a server
> or manually enter SMTP or HTTP requests over the internet -- a use
> which is adequately served by the much smaller and much more
> confidence-inspiring usr.bin/nc -- I think this _does_ constitute a
> serious danger that warrants the scrutiny it is getting.

I disagree.  Both telnet and telnetd are still valid citizens in NetBSD Town.

> 
> 
> [*] Whether it can lead to arbitrary code execution, I don't know, and
>    I'm not interested in studying further to find out; it doesn't
>    take much to get arbitrary code execution, like a single null byte
>    heap buffer overflow:
>    https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html