CVS commit: pkgsrc/net/inetutils

["Paolo Vincenzo Olivo" <vins%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   vins
Date:           Sun Apr 19 19:15:38 UTC 2026

Modified Files:
        pkgsrc/net/inetutils: Makefile distinfo
Added Files:
        pkgsrc/net/inetutils/patches: patch-telnetd_utility.c

Log Message:
net/inetutils: patch against CVE-2026-24061

Bump revision.


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/net/inetutils/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/inetutils/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/net/inetutils/patches/patch-telnetd_utility.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/inetutils/Makefile
diff -u pkgsrc/net/inetutils/Makefile:1.11 pkgsrc/net/inetutils/Makefile:1.12
--- pkgsrc/net/inetutils/Makefile:1.11  Sat Feb  7 09:53:47 2026
+++ pkgsrc/net/inetutils/Makefile       Sun Apr 19 19:15:38 2026
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.11 2026/02/07 09:53:47 vins Exp $
+# $NetBSD: Makefile,v 1.12 2026/04/19 19:15:38 vins Exp $
 
 DISTNAME=      inetutils-2.7
+PKGREVISION=   1
 CATEGORIES=    net
 MASTER_SITES=  ${MASTER_SITE_GNU:=inetutils/}
 

Index: pkgsrc/net/inetutils/distinfo
diff -u pkgsrc/net/inetutils/distinfo:1.7 pkgsrc/net/inetutils/distinfo:1.8
--- pkgsrc/net/inetutils/distinfo:1.7   Sat Feb  7 09:53:47 2026
+++ pkgsrc/net/inetutils/distinfo       Sun Apr 19 19:15:38 2026
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.7 2026/02/07 09:53:47 vins Exp $
+$NetBSD: distinfo,v 1.8 2026/04/19 19:15:38 vins Exp $
 
 BLAKE2s (inetutils-2.7.tar.gz) = 537183861935001f209af6f8a4a1d9e223bb879aedc4ec0f180a98aaeda2feee
 SHA512 (inetutils-2.7.tar.gz) = 8f36bea126108e8f48f2c436c9ff11684f3bd51c4e48090f0ab8626b8c5878b6dc8c64b84cd7a6220913f68c8602b37c8ac632fe9ef530bf5018c6e51ee1a90b
@@ -7,3 +7,4 @@ SHA1 (patch-libinetutils_libinetutils.h)
 SHA1 (patch-ping_Makefile.in) = bfc193800d353496ce2dc639803c356eef7a655a
 SHA1 (patch-src_Makefile.in) = a8321822fdd68db4ec86ad232b59aaad92583297
 SHA1 (patch-src_syslogd.c) = 608579f47456d85b29520e7021c86cf80f6faa1c
+SHA1 (patch-telnetd_utility.c) = b47deef43e1b701af085b59ae09604b5a911113c

Added files:

Index: pkgsrc/net/inetutils/patches/patch-telnetd_utility.c
diff -u /dev/null pkgsrc/net/inetutils/patches/patch-telnetd_utility.c:1.1
--- /dev/null   Sun Apr 19 19:15:38 2026
+++ pkgsrc/net/inetutils/patches/patch-telnetd_utility.c        Sun Apr 19 19:15:38 2026
@@ -0,0 +1,52 @@
+$NetBSD: patch-telnetd_utility.c,v 1.1 2026/04/19 19:15:38 vins Exp $
+
+Sanitize the USER environment variable before passing it to login(1).
+Fixes CVE-2026-24061. Reference:
+https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html
+
+--- telnetd/utility.c.orig     2025-12-14 15:12:20.000000000 +0000
++++ telnetd/utility.c
+@@ -1684,6 +1684,17 @@ static void _expand_cond (struct line_ex
+ static void _skip_block (struct line_expander *exp);
+ static void _expand_block (struct line_expander *exp);
+ 
++static char *
++sanitize (const char *u)
++{
++  /* Ignore values starting with '-' or containing shell metachars, as
++     they can cause trouble.  */
++  if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
++    return u;
++  else
++    return "";
++}
++
+ /* Expand a variable referenced by its short one-symbol name.
+    Input: exp->cp points to the variable name.
+    FIXME: not implemented */
+@@ -1710,13 +1721,13 @@ _var_short_name (struct line_expander *e
+       return xstrdup (timebuf);
+ 
+     case 'h':
+-      return xstrdup (remote_hostname);
++      return xstrdup (sanitize (remote_hostname));
+ 
+     case 'l':
+-      return xstrdup (local_hostname);
++      return xstrdup (sanitize (local_hostname));
+ 
+     case 'L':
+-      return xstrdup (line);
++      return xstrdup (sanitize (line));
+ 
+     case 't':
+       q = strchr (line + 1, '/');
+@@ -1733,7 +1744,7 @@ _var_short_name (struct line_expander *e
+       return user_name ? xstrdup (user_name) : NULL;
+ 
+     case 'U':
+-      return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
++      return user_name ? xstrdup (sanitize (user_name)) : NULL;
+ 
+     default:
+       exp->state = EXP_STATE_ERROR;