CVS commit: [pkgsrc-2026Q1] pkgsrc/net/inetutils

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2026Q1] pkgsrc/net/inetutils
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Thu, 7 May 2026 22:37:52 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Thu May  7 22:37:52 UTC 2026

Modified Files:
        pkgsrc/net/inetutils [pkgsrc-2026Q1]: Makefile distinfo
Added Files:
        pkgsrc/net/inetutils/patches [pkgsrc-2026Q1]: patch-telnetd_utility.c

Log Message:
Pullup ticket #7097 - requested by taca
net/inetutils: Security fix

Revisions pulled up:
- net/inetutils/Makefile                                        1.12-1.13
- net/inetutils/distinfo                                        1.8-1.9
- net/inetutils/patches/patch-telnetd_utility.c                 deleted

---
   Module Name: pkgsrc
   Committed By:        vins
   Date:                Sun Apr 19 19:15:38 UTC 2026

   Modified Files:
        pkgsrc/net/inetutils: Makefile distinfo
   Added Files:
        pkgsrc/net/inetutils/patches: patch-telnetd_utility.c

   Log Message:
   net/inetutils: patch against CVE-2026-24061

   Bump revision.

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Thu Apr 30 05:44:15 UTC 2026

   Modified Files:
        pkgsrc/net/inetutils: Makefile distinfo
   Removed Files:
        pkgsrc/net/inetutils/patches: patch-telnetd_utility.c

   Log Message:
   inetutils: update to 2.8.

   # Noteworthy changes in release 2.8 (2026-04-29) [stable]

   ** telnetd no longer supports the --debug (-D) option.  Previously, it
   would open a predictable file name at /tmp/telnet.debug, following it if
   it were a symbolic link.  The data printed to it could also be
   controlled by a client.  These behaviors could be combined to result in
   a local privilege escalation.  Reported by Justin Swartz in
   <https://lists.gnu.org/r/bug-inetutils/2026-03/msg00040.html>.
   Guillem Jover also mentioned that another user can create the file
   before telnetd does, keep the file open, and snoop on sessions which may
   include credentials in
   <https://lists.gnu.org/r/bug-inetutils/2026-03/msg00048.html>.

   ** telnet no longer leaks the value of unexported environment variables
   to servers sending the NEW-ENVIRON SEND USERVAR command.
   Reported by Justin Swartz in
   <https://www.openwall.com/lists/oss-security/2026/03/13/1>.

   ** telnetd no longer allows clients to write past the end of a stack
   allocated buffer, possibly leading to remote code execution, using an
   SLC suboption with many triplets using function octets greater than 18.
   CVE-2026-32746
   Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
   Daniel Lubel at DREAM Security Research Team in
   <https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.

   ** telnetd now ignores all environment options by default.  Environment
   variables passed by the new --accept-env option can bypass this
   restriction.  This is necessary to avoid vulnerabilities similar to
   CVE-2026-28372, since many different environment variables can be used
   to escalate privileges.

   ** Fix telnetd remote authentication by-pass vulnerability.  CVE-2026-24061
   Reported by Kyu Neushwaistein.  Initial patch by Paul Eggert; further
   improvements and security advisory by Simon Josefsson.

   ** Prevent privilege escalation via telnetd abusing systemd service
   credentials support added to the login(1) implementation of util-linux
   in release 2.40.  CVE-2026-28372
   Reported by Ron Ben Yizhak@SafeBreach in
   <https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.

   ** telnet: Drop everything related to TN3270.
   The code did not build (several missing required header files) and
   even if we could fix it, we have no way to test it. It may contain
   security vulnerabilities.

   ** inetd: Adds new --foreground parameter to avoid forking.
   See <https://codeberg.org/inetutils/inetutils/pulls/10>, patch by
   Guillem Jover.

   ** Paths uses $(runstatedir) instead of $(localstatedir)/run for PID files etc.
   The intention is that this is a no-op for normal installations, and
   the files should end up in the same paths because the default value
   for $(runstatedor) is $(localstatedir)/run.

   ** Some compiler warnings are now enabled by default.
   Disable with --enable-gcc-warnings=no.  Based on the Gnulib
   manywarnings module, see
   <https://www.gnu.org/software/gnulib/manual/html_node/manywarnings.html>.

   ** configure.ac avoid implicit declaration of tcpd.h hosts_ctl.
   Patch and report by Mike Gilbert <floppym%gentoo.org@localhost> in
   <https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00026.html>.

   ** tests: Improve libls test that doesn't work reliably across file systems.
   See <https://codeberg.org/inetutils/inetutils/pulls/9>.

   ** Older ChangeLog.? files not included in release tarball.
   They are still available in the git history.  Saves around 0.7MB
   uncompressed in the release tarball.  Compare GNU CoreUtils
   https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/NEWS?id=4e112e90b11b70bd6dc5b441f820803fc2aadd69.


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.2.1 pkgsrc/net/inetutils/Makefile
cvs rdiff -u -r1.7 -r1.7.2.1 pkgsrc/net/inetutils/distinfo
cvs rdiff -u -r0 -r1.2.2.2 \
    pkgsrc/net/inetutils/patches/patch-telnetd_utility.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/inetutils/Makefile
diff -u pkgsrc/net/inetutils/Makefile:1.11 pkgsrc/net/inetutils/Makefile:1.11.2.1
--- pkgsrc/net/inetutils/Makefile:1.11  Sat Feb  7 09:53:47 2026
+++ pkgsrc/net/inetutils/Makefile       Thu May  7 22:37:51 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.11 2026/02/07 09:53:47 vins Exp $
+# $NetBSD: Makefile,v 1.11.2.1 2026/05/07 22:37:51 maya Exp $
 
-DISTNAME=      inetutils-2.7
+DISTNAME=      inetutils-2.8
 CATEGORIES=    net
 MASTER_SITES=  ${MASTER_SITE_GNU:=inetutils/}
 
@@ -11,6 +11,9 @@ LICENSE=      gnu-gpl-v3
 
 TOOL_DEPENDS+=         help2man-[0-9]*:../../converters/help2man
 
+# as of 2.8:
+# two test failure due to ctype(3) misuse, reported upstream per email
+
 USE_TOOLS+=            makeinfo yacc
 INFO_FILES=            yes
 

Index: pkgsrc/net/inetutils/distinfo
diff -u pkgsrc/net/inetutils/distinfo:1.7 pkgsrc/net/inetutils/distinfo:1.7.2.1
--- pkgsrc/net/inetutils/distinfo:1.7   Sat Feb  7 09:53:47 2026
+++ pkgsrc/net/inetutils/distinfo       Thu May  7 22:37:51 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.7 2026/02/07 09:53:47 vins Exp $
+$NetBSD: distinfo,v 1.7.2.1 2026/05/07 22:37:51 maya Exp $
 
-BLAKE2s (inetutils-2.7.tar.gz) = 537183861935001f209af6f8a4a1d9e223bb879aedc4ec0f180a98aaeda2feee
-SHA512 (inetutils-2.7.tar.gz) = 8f36bea126108e8f48f2c436c9ff11684f3bd51c4e48090f0ab8626b8c5878b6dc8c64b84cd7a6220913f68c8602b37c8ac632fe9ef530bf5018c6e51ee1a90b
-Size (inetutils-2.7.tar.gz) = 3157952 bytes
+BLAKE2s (inetutils-2.8.tar.gz) = 4c862ef324da6b9b1ad62d24e56de4918425776fd7d204efaaecd7cdf595e80c
+SHA512 (inetutils-2.8.tar.gz) = 00b33c9d712cf670f16dbefc963fed880088ff67f506df54fd02fdfc0f8c05d379faba5d602c8772c4dc4fd72e1fa8733777d5840784aa86e092eeb5d0f905f7
+Size (inetutils-2.8.tar.gz) = 2985957 bytes
 SHA1 (patch-libinetutils_libinetutils.h) = 4fd40c71340a90cbe606b71655555d98dfc7e2c6
 SHA1 (patch-ping_Makefile.in) = bfc193800d353496ce2dc639803c356eef7a655a
 SHA1 (patch-src_Makefile.in) = a8321822fdd68db4ec86ad232b59aaad92583297

Added files:

Index: pkgsrc/net/inetutils/patches/patch-telnetd_utility.c
diff -u /dev/null pkgsrc/net/inetutils/patches/patch-telnetd_utility.c:1.2.2.2
--- /dev/null   Thu May  7 22:37:52 2026
+++ pkgsrc/net/inetutils/patches/patch-telnetd_utility.c        Thu May  7 22:37:51 2026
@@ -0,0 +1,52 @@
+$NetBSD: patch-telnetd_utility.c,v 1.2.2.2 2026/05/07 22:37:51 maya Exp $
+
+Sanitize the USER environment variable before passing it to login(1).
+Fixes CVE-2026-24061. Reference:
+https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html
+
+--- telnetd/utility.c.orig     2025-12-14 15:12:20.000000000 +0000
++++ telnetd/utility.c
+@@ -1684,6 +1684,17 @@ static void _expand_cond (struct line_ex
+ static void _skip_block (struct line_expander *exp);
+ static void _expand_block (struct line_expander *exp);
+ 
++static char *
++sanitize (const char *u)
++{
++  /* Ignore values starting with '-' or containing shell metachars, as
++     they can cause trouble.  */
++  if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
++    return u;
++  else
++    return "";
++}
++
+ /* Expand a variable referenced by its short one-symbol name.
+    Input: exp->cp points to the variable name.
+    FIXME: not implemented */
+@@ -1710,13 +1721,13 @@ _var_short_name (struct line_expander *e
+       return xstrdup (timebuf);
+ 
+     case 'h':
+-      return xstrdup (remote_hostname);
++      return xstrdup (sanitize (remote_hostname));
+ 
+     case 'l':
+-      return xstrdup (local_hostname);
++      return xstrdup (sanitize (local_hostname));
+ 
+     case 'L':
+-      return xstrdup (line);
++      return xstrdup (sanitize (line));
+ 
+     case 't':
+       q = strchr (line + 1, '/');
+@@ -1733,7 +1744,7 @@ _var_short_name (struct line_expander *e
+       return user_name ? xstrdup (user_name) : NULL;
+ 
+     case 'U':
+-      return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
++      return user_name ? xstrdup (sanitize (user_name)) : NULL;
+ 
+     default:
+       exp->state = EXP_STATE_ERROR;

Prev by Date: CVS commit: [pkgsrc-2026Q1] pkgsrc/www/curl
Next by Date: CVS commit: [pkgsrc-2026Q1] pkgsrc/mail/postfix
Previous by Thread: CVS commit: [pkgsrc-2026Q1] pkgsrc/www/curl
Next by Thread: CVS commit: [pkgsrc-2026Q1] pkgsrc/mail/postfix
Indexes:

Home | Main Index | Thread Index | Old Index