misaka00251/openRuyi
0
0
Fork 0
forked from openRuyi-Project/openRuyi
Code Pull Requests Activity

Compare commits

merge into: misaka00251/openRuyi:addasciinema
Branches Tags
misaka00251/openRuyi:main misaka00251/openRuyi:add-asciinema misaka00251/openRuyi:add_asciinema misaka00251/openRuyi:addasciinema
...
pull from: misaka00251/openRuyi:main
Branches Tags
misaka00251/openRuyi:add-asciinema misaka00251/openRuyi:add_asciinema misaka00251/openRuyi:addasciinema misaka00251/openRuyi:main openRuyi-Project/openRuyi:main

1 Commits
addasciinema ... main

Author SHA1 Message Date
Suyun114 a0ba031d8e SPECS: inetutils: Update to 2.8 [security-fixes]. 
Fix CVE-2026-32772.

Signed-off-by: Suyun <ziyu.oerv@isrc.iscas.ac.cn>
 2026-06-04 17:52:07 +08:00
7 changed files with 2 additions and 527 deletions
Expand all files Collapse all files
SPECS/inetutils/0001-fix-injection-bug-with-bogus-user-names.patch
-34
View File
@@ -1,34 +0,0 @@
From fd702c02497b2f398e739e3119bed0b23dd7aa7b Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 20 Jan 2026 01:10:36 -0800
Subject: [PATCH] Fix injection bug with bogus user names
Problem reported by Kyu Neushwaistein.
* telnetd/utility.c (_var_short_name):
Ignore user names that start with '-' or contain shell metacharacters.
Signed-off-by: Simon Josefsson <simon@josefsson.org>
---
telnetd/utility.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/telnetd/utility.c b/telnetd/utility.c
index b486226e..c02cd0e6 100644
--- a/telnetd/utility.c
+++ b/telnetd/utility.c
@@ -1733,7 +1733,14 @@ _var_short_name (struct line_expander *exp)
return user_name ? xstrdup (user_name) : NULL;
case 'U':
- return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
+ {
+ /* Ignore user names starting with '-' or containing shell
+ metachars, as they can cause trouble. */
+ char const *u = getenv ("USER");
+ return xstrdup ((u && *u != '-'
+ && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
+ ? u : "");
+ }
default:
exp->state = EXP_STATE_ERROR;
SPECS/inetutils/0002-sanitize-all-variable-expansions.patch
-78
View File
@@ -1,78 +0,0 @@
From ccba9f748aa8d50a38d7748e2e60362edd6a32cc Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Tue, 20 Jan 2026 14:02:39 +0100
Subject: [PATCH] telnetd: Sanitize all variable expansions
* telnetd/utility.c (sanitize): New function.
(_var_short_name): Use it for all variables.
---
telnetd/utility.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/telnetd/utility.c b/telnetd/utility.c
index c02cd0e6..b21ad961 100644
--- a/telnetd/utility.c
+++ b/telnetd/utility.c
@@ -1684,6 +1684,17 @@ static void _expand_cond (struct line_expander *exp);
static void _skip_block (struct line_expander *exp);
static void _expand_block (struct line_expander *exp);
+static char *
+sanitize (const char *u)
+{
+ /* Ignore values starting with '-' or containing shell metachars, as
+ they can cause trouble. */
+ if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
+ return u;
+ else
+ return "";
+}
+
/* Expand a variable referenced by its short one-symbol name.
Input: exp->cp points to the variable name.
FIXME: not implemented */
@@ -1710,13 +1721,13 @@ _var_short_name (struct line_expander *exp)
return xstrdup (timebuf);
case 'h':
- return xstrdup (remote_hostname);
+ return xstrdup (sanitize (remote_hostname));
case 'l':
- return xstrdup (local_hostname);
+ return xstrdup (sanitize (local_hostname));
case 'L':
- return xstrdup (line);
+ return xstrdup (sanitize (line));
case 't':
q = strchr (line + 1, '/');
@@ -1724,23 +1735,16 @@ _var_short_name (struct line_expander *exp)
q++;
else
q = line;
- return xstrdup (q);
+ return xstrdup (sanitize (q));
case 'T':
- return terminaltype ? xstrdup (terminaltype) : NULL;
+ return terminaltype ? xstrdup (sanitize (terminaltype)) : NULL;
case 'u':
- return user_name ? xstrdup (user_name) : NULL;
+ return user_name ? xstrdup (sanitize (user_name)) : NULL;
case 'U':
- {
- /* Ignore user names starting with '-' or containing shell
- metachars, as they can cause trouble. */
- char const *u = getenv ("USER");
- return xstrdup ((u && *u != '-'
- && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
- ? u : "");
- }
+ return xstrdup (sanitize (getenv ("USER")));
default:
exp->state = EXP_STATE_ERROR;
SPECS/inetutils/0003-telnetd-don-t-allow-systemd-service-credentials.patch
-55
View File
@@ -1,55 +0,0 @@
From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001
From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
Date: Sun, 15 Feb 2026 15:38:50 +0100
Subject: [PATCH] telnetd: don't allow systemd service credentials
The login(1) implementation of util-linux added support for
systemd service credentials in release 2.40. This allows to
bypass authentication by specifying a directory name in the
environment variable CREDENTIALS_DIRECTORY. If this directory
contains a file named 'login.noauth' with the content of 'yes',
login(1) skips authentication.
GNU Inetutils telnetd supports to set arbitrary environment
variables using the 'Environment' and 'New Environment'
Telnet options. This allows specifying a directory containing
'login.noauth'. A local user can create such a directory
and file, and, e.g., specify the user name 'root' to escalate
privileges.
This problem was reported by Ron Ben Yizhak in
<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
This commit clears CREDENTIALS_DIRECTORY from the environment
before executing login(1) to implement a simple fix that can
be backported easily.
* NEWS.md: Mention fix.
* THANKS: Mention Ron Ben Yizhak.
* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment
before executing 'login'.
---
NEWS.md | 5 +++++
THANKS | 1 +
telnetd/pty.c | 8 ++++++++
3 files changed, 14 insertions(+)
diff --git a/telnetd/pty.c b/telnetd/pty.c
index c727e7be..f3518049 100644
--- a/telnetd/pty.c
+++ b/telnetd/pty.c
@@ -129,6 +129,14 @@ start_login (char *host, int autologin, char *name)
if (!cmd)
fatal (net, "can't expand login command line");
argcv_get (cmd, "", &argc, &argv);
+
+ /* util-linux's "login" introduced an authentication bypass method
+ * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40.
+ * Clear it from the environment before executing "login" to prevent
+ * abuse via Telnet.
+ */
+ unsetenv ("CREDENTIALS_DIRECTORY");
+
execv (argv[0], argv);
syslog (LOG_ERR, "%s: %m\n", cmd);
fatalperror (net, cmd);
SPECS/inetutils/0004-telnetd-add-the-new-accept-env-option.patch
-268
View File
@@ -1,268 +0,0 @@
From 81d436d26d5497423e28841af91756e373446cf4 Mon Sep 17 00:00:00 2001
From: Collin Funk <collin.funk1@gmail.com>
Date: Thu, 5 Mar 2026 21:35:22 -0800
Subject: [PATCH] telnetd: add the new --accept-env option
This changes telnetd to ignore all environment options from clients
unless the variable was listed by an --accept-env option. This
mitigates the many ways to escalate privileges using environment
variables.
* NEWS.md: Mention the change.
* bootstrap.conf (gnulib_modules): Add hashcode-string1, hash-set, and
xset.
* doc/inetutils.texi (telnetd invocation): Mention the new option.
* telnetd/pty.c (scrub_env): Remove function.
(start_login): Remove call to scrub_env. Remove unsetenv call that is
no longer needed.
* telnetd/state.c (suboption): Check for the environment variable in
accept_env_set before making changes to the environment.
* telnetd/telnetd.c (accept_env_set): New variable.
(string_hashcode, string_equals): New function needed for
gl_set_create_empty.
(ACCEPT_ENV_OPTION): New definition.
(argp_options): Add the --accept-env option.
(parse_opt): Process the new option.
(telnetd_setup): Clear the environment before processing options.
* telnetd/telnetd.h: Include gl_hash_set.h, gl_xset.h, and
hashcode-string1.h.
(accept_env_set): New declaration.
---
NEWS.md | 4 ++++
bootstrap.conf | 3 +++
doc/inetutils.texi | 6 ++++++
telnetd/pty.c | 32 --------------------------------
telnetd/state.c | 22 ++++++++++++++--------
telnetd/telnetd.c | 44 ++++++++++++++++++++++++++++++++++++--------
telnetd/telnetd.h | 4 ++++
7 files changed, 67 insertions(+), 48 deletions(-)
diff --git a/bootstrap.conf b/bootstrap.conf
index 8c4d662b..964983b5 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -66,6 +66,8 @@ getusershell
git-version-gen
gitlog-to-changelog
glob
+hashcode-string1
+hash-set
hostent
intprops
inttostr
@@ -120,6 +122,7 @@ xalloc-die
xgetcwd
xgetdomainname
xgethostname
+xset
xsize
xstrtoimax
xvasprintf
diff --git a/doc/inetutils.texi b/doc/inetutils.texi
index 3f1adc9c..06d10d6d 100644
--- a/doc/inetutils.texi
+++ b/doc/inetutils.texi
@@ -4961,6 +4961,12 @@ telnetd [@var{option}]@dots{}
@end example
@table @option
+@item --accept-env @var{VAR}
+@opindex --accept-env
+Allow clients to define the @var{VAR} environment variable. GNU
+@command{telnetd} removes all environment variables by default since
+many of them can be used to escalate privileges.
+
@item -a @var{authmode}
@itemx --authmode=@var{authmode}
@opindex -a
diff --git a/telnetd/pty.c b/telnetd/pty.c
index f3518049..4bf407ad 100644
--- a/telnetd/pty.c
+++ b/telnetd/pty.c
@@ -83,29 +83,6 @@ startslave (char *host, int autologin, char *autoname)
return master;
}
-/*
- * scrub_env()
- *
- * Remove a few things from the environment that
- * don't need to be there.
- *
- * Security fix included in telnet-95.10.23.NE of David Borman <deb@cray.com>.
- */
-static void
-scrub_env (void)
-{
- char **cpp, **cpp2;
-
- for (cpp2 = cpp = environ; *cpp; cpp++)
- {
- if (strncmp (*cpp, "LD_", 3)
- && strncmp (*cpp, "_RLD_", 5)
- && strncmp (*cpp, "LIBPATH=", 8) && strncmp (*cpp, "IFS=", 4))
- *cpp2++ = *cpp;
- }
- *cpp2 = 0;
-}
-
void
start_login (char *host, int autologin, char *name)
{
@@ -117,8 +94,6 @@ start_login (char *host, int autologin, char *name)
(void) autologin;
(void) name;
- scrub_env ();
-
/* Set the environment variable "LINEMODE" to indicate our linemode */
if (lmodetype == REAL_LINEMODE)
setenv ("LINEMODE", "real", 1);
@@ -130,13 +105,6 @@ start_login (char *host, int autologin, char *name)
fatal (net, "can't expand login command line");
argcv_get (cmd, "", &argc, &argv);
- /* util-linux's "login" introduced an authentication bypass method
- * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40.
- * Clear it from the environment before executing "login" to prevent
- * abuse via Telnet.
- */
- unsetenv ("CREDENTIALS_DIRECTORY");
-
execv (argv[0], argv);
syslog (LOG_ERR, "%s: %m\n", cmd);
fatalperror (net, cmd);
diff --git a/telnetd/state.c b/telnetd/state.c
index a9a51e00..8c8138df 100644
--- a/telnetd/state.c
+++ b/telnetd/state.c
@@ -1495,10 +1495,13 @@ suboption (void)
case NEW_ENV_VAR:
case ENV_USERVAR:
*cp = '\0';
- if (valp)
- setenv (varp, valp, 1);
- else
- unsetenv (varp);
+ if (accept_env_set && gl_set_search (accept_env_set, varp))
+ {
+ if (valp)
+ setenv (varp, valp, 1);
+ else
+ unsetenv (varp);
+ }
cp = varp = (char *) subpointer;
valp = 0;
break;
@@ -1514,10 +1517,13 @@ suboption (void)
}
}
*cp = '\0';
- if (valp)
- setenv (varp, valp, 1);
- else
- unsetenv (varp);
+ if (accept_env_set && gl_set_search (accept_env_set, varp))
+ {
+ if (valp)
+ setenv (varp, valp, 1);
+ else
+ unsetenv (varp);
+ }
break;
} /* end of case TELOPT_NEW_ENVIRON */
#if defined AUTHENTICATION
diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c
index 219a19da..d90985b9 100644
--- a/telnetd/telnetd.c
+++ b/telnetd/telnetd.c
@@ -105,10 +105,32 @@ char *terminaltype;
int SYNCHing; /* we are in TELNET SYNCH mode */
struct telnetd_clocks clocks;
-
+
+/* Set of environment variables that we do not remove from clients. */
+gl_set_t accept_env_set = NULL;
+
+static size_t
+string_hashcode (const void *s)
+{
+ return hash_string (s, strlen (s));
+}
+
+static bool
+string_equals (const void *a, const void *b)
+{
+ return strcmp (a, b) == 0;
+}
+
+/* List of long options without short option counterparts. */
+enum
+{
+ ACCEPT_ENV_OPTION = UCHAR_MAX + 1
+};
static struct argp_option argp_options[] = {
#define GRID 10
+ {"accept-env", ACCEPT_ENV_OPTION, "NAME", 0,
+ "accept the environment variable from clients", GRID},
{"debug", 'D', "LEVEL", OPTION_ARG_OPTIONAL,
"set debugging level", GRID},
{"exec-login", 'E', "STRING", 0,
@@ -144,6 +166,14 @@ parse_opt (int key, char *arg, struct argp_state *state MAYBE_UNUSED)
{
switch (key)
{
+
+ case ACCEPT_ENV_OPTION:
+ if (!accept_env_set)
+ accept_env_set = gl_set_create_empty (GL_HASH_SET, string_equals,
+ string_hashcode, NULL);
+ gl_set_add (accept_env_set, arg);
+ break;
+
#ifdef AUTHENTICATION
case 'a':
parse_authmode (arg);
@@ -497,13 +527,11 @@ telnetd_setup (int fd)
io_setup ();
- /* Before doing anything related to the identity of the client,
- * scrub the environment variable USER, since it may be set with
- * an irrelevant user name at this point. OpenBSD has been known
- * to offend at this point with their own inetd. Any demand for
- * autologin will get attention in getterminaltype().
- */
- unsetenv ("USER");
+ /* Clear the environment of all variables before doing anything. This avoids
+ many ways of escalating privileges. Environment variable options sent by
+ the client will be checked against ACCEPT_ENV_SET. */
+ static char *dummy_environ[] = { NULL };
+ environ = dummy_environ;
/* get terminal type. */
uname[0] = 0;
diff --git a/telnetd/telnetd.h b/telnetd/telnetd.h
index df31a819..57d3130e 100644
--- a/telnetd/telnetd.h
+++ b/telnetd/telnetd.h
@@ -57,6 +57,9 @@
#define obstack_chunk_free free
#include <obstack.h>
+#include "gl_hash_set.h"
+#include "gl_xset.h"
+#include "hashcode-string1.h"
#include "xalloc.h"
#ifndef HAVE_CC_T
@@ -251,6 +254,7 @@ extern char *user_name;
extern int pty, net;
extern int SYNCHing; /* we are in TELNET SYNCH mode */
extern struct telnetd_clocks clocks;
+extern gl_set_t accept_env_set;
extern char line[];
extern char *xstrdup (const char *);
SPECS/inetutils/0005-telnetd-fix-stack-buffer-overflow-processing-SLC-sub.patch
-35
View File
@@ -1,35 +0,0 @@
From 6864598a29b652a6b69a958f5cd1318aa2b258af Mon Sep 17 00:00:00 2001
From: Collin Funk <collin.funk1@gmail.com>
Date: Wed, 11 Mar 2026 23:06:46 -0700
Subject: [PATCH] telnetd: fix stack buffer overflow processing SLC suboption
triplets
Previously a client could write past the end of an internal buffer using
an SLC suboption with many triplets using function octets greater than
18, possibly leading to remote code execution. Reported by Adiel Sol,
Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel at DREAM
Security Research Team at:
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.
* telnetd/slc.c (add_slc): Return early if writing the tuple would lead
us to writing past the end of the buffer.
* NEWS.md: Mention the fix.
---
NEWS.md | 6 ++++++
telnetd/slc.c | 3 +++
2 files changed, 9 insertions(+)
diff --git a/telnetd/slc.c b/telnetd/slc.c
index f45e7725..2dfef22f 100644
--- a/telnetd/slc.c
+++ b/telnetd/slc.c
@@ -162,6 +162,9 @@ get_slc_defaults (void)
void
add_slc (char func, char flag, cc_t val)
{
+ /* Do nothing if the entire triplet cannot fit in the buffer. */
+ if (slcbuf + sizeof slcbuf - slcptr <= 6)
+ return;
if ((*slcptr++ = (unsigned char) func) == 0xff)
*slcptr++ = 0xff;
SPECS/inetutils/0006-tests-Remove-bogus-test-for-unsorted-file-listing.patch
-42
View File
@@ -1,42 +0,0 @@
From fa9ca2f43b38a88620e0a54e3570ba3e0f592c2d Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@hadrons.org>
Date: Fri, 20 Jun 2025 03:18:06 +0200
Subject: [PATCH] tests: Remove bogus libls test for unsorted file listing
We cannot reliably test whether the -f option works against a normal
filesystem, because that relies on the unsorted output coming out
accidentally not sorted, and this has been the cause for several
indeterministic build failures in various hosts (such as some
sparc64 or reproducible build nodes).
This could be guaranteed with something like disorderfs, but we do
not bother and simply remove the test case.
---
tests/libls.sh | 4 ----
1 file changed, 4 deletions(-)
diff --git a/tests/libls.sh b/tests/libls.sh
index 827020f2..9fdef8be 100755
--- a/tests/libls.sh
+++ b/tests/libls.sh
@@ -91,7 +91,6 @@ REPLY_a1=`$LS -a1 $LSDIR`
REPLY_A1=`$LS -A1 $LSDIR`
REPLY_C=`$LS -C $LSDIR`
-REPLY_Cf=`$LS -Cf $LSDIR`
REPLY_Cr=`$LS -Cr $LSDIR`
REPLY_Ct=`$LS -Ct $LSDIR`
REPLY_x=`$LS -x $LSDIR`
@@ -130,9 +129,6 @@ test `echo "$diff" | $GREP -c -v '^[.]\{1,2\}$'` -eq 0 ||
fi
}
-test x"$REPLY_C" != x"$REPLY_Cf" ||
- { errno=1; echo >&2 'Failed to disable sorting with "-f".'; }
-
test x"$REPLY_C" != x"$REPLY_Cr" ||
{ errno=1; echo >&2 'Failed to reverse sorting with "-r".'; }
--
2.47.3
SPECS/inetutils/inetutils.spec
+2 -15
View File
@@ -5,29 +5,16 @@
# SPDX-License-Identifier: MulanPSL-2.0
Name: inetutils
Version: 2.7
Version: 2.8
Release: %autorelease
Summary: GNU network utilities
License: GPL-3.0-or-later
URL: https://www.gnu.org/software/inetutils
VCS: git:https://codeberg.org/inetutils/inetutils.git
#!RemoteAsset
#!RemoteAsset: sha256:a76bb668060c5d28266a4dcd533cbf48e9a2d2542d1be3e5372e4307d534cd5b
Source0: https://ftpmirror.gnu.org/gnu/inetutils/inetutils-v%{version}-src.tar.gz
BuildSystem: autotools
# CVE-2026-24061: https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
Patch0: 0001-fix-injection-bug-with-bogus-user-names.patch
# CVE-2026-24061: https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
Patch1: 0002-sanitize-all-variable-expansions.patch
# CVE-2026-28372: https://codeberg.org/inetutils/inetutils/commit/4db2f19f4caac03c7f4da6363c140bd70df31386
Patch2: 0003-telnetd-don-t-allow-systemd-service-credentials.patch
# CVE-2026-24061: https://codeberg.org/inetutils/inetutils/commit/81d436d26d5497423e28841af91756e373446cf4
Patch3: 0004-telnetd-add-the-new-accept-env-option.patch
# CVE-2026-32746: https://codeberg.org/inetutils/inetutils/commit/6864598a29b652a6b69a958f5cd1318aa2b258af
Patch4: 0005-telnetd-fix-stack-buffer-overflow-processing-SLC-sub.patch
# https://codeberg.org/inetutils/inetutils/pulls/9
Patch5: 0006-tests-Remove-bogus-test-for-unsorted-file-listing.patch
BuildOption(conf): --disable-syslogd
BuildOption(conf): --disable-dnsdomainname
BuildOption(conf): --disable-ping