inetutils: patch CVE-2026-28372

Pick patch according to [1] (equivalent to patch from [2]). This CVE is needed if util-linux >= 2.40 is used which is not the case in Yocto scarthgap, however it's always possible that users update packages in their layers. [1] https://security-tracker.debian.org/tracker/CVE-2026-28372 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28372 (From OE-Core rev: 2ab4f313ebd2c8f2d801dc3f53df3a0741cf848e) Signed-off-by: Peter Marko <peter.marko@siemens.com> [YC: replaced kirkstone by scarthap] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
author: Peter Marko <peter.marko@siemens.com> 2026-03-05 19:51:13 +0100
committer: Paul Barker <paul@pbarker.dev> 2026-03-25 17:34:13 +0000
commit: 6d3b13d2cce757d5fa3c529418ab974642067a6e (patch)
tree: 7d4eecea78dbb62680d539c6fca4d349cac3fdfe /meta
parent: d9f03b7c82101ae64aa79a2f9aa44afd7c8ffc4c (diff)
download: poky-6d3b13d2cce757d5fa3c529418ab974642067a6e.tar.gz
2 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch
new file mode 100644
index 0000000000..4e6bf0c87c
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch
@@ -0,0 +1,86 @@
+From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001
+From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Date: Sun, 15 Feb 2026 15:38:50 +0100
+Subject: [PATCH] telnetd: don't allow systemd service credentials
+The login(1) implementation of util-linux added support for
+systemd service credentials in release 2.40.  This allows to
+bypass authentication by specifying a directory name in the
+environment variable CREDENTIALS_DIRECTORY.  If this directory
+contains a file named 'login.noauth' with the content of 'yes',
+login(1) skips authentication.
+GNU Inetutils telnetd supports to set arbitrary environment
+variables using the 'Environment' and 'New Environment'
+Telnet options.  This allows specifying a directory containing
+'login.noauth'.  A local user can create such a directory
+and file, and, e.g., specify the user name 'root' to escalate
+privileges.
+This problem was reported by Ron Ben Yizhak in
+<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
+This commit clears CREDENTIALS_DIRECTORY from the environment
+before executing login(1) to implement a simple fix that can
+be backported easily.
+* NEWS.md: Mention fix.
+* THANKS: Mention Ron Ben Yizhak.
+* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment
+before executing 'login'.
+CVE: CVE-2026-28372
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ NEWS          | 5 +++++
+ THANKS        | 1 +
+ telnetd/pty.c | 8 ++++++++
+ 3 files changed, 14 insertions(+)
+diff --git a/NEWS b/NEWS
+index 877ca53b..f5172a71 100644
+--- a/NEWS
+++ b/NEWS
+@@ -1,5 +1,10 @@
+ GNU inetutils NEWS -- history of user-visible changes.
+ 
+** Prevent privilege escalation via telnetd abusing systemd service
+credentials support added to the login(1) implementation of util-linux
+in release 2.40.  Reported by Ron Ben Yizhak in
+<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
+
+ * Noteworthy changes in release 2.5 (2023-12-29) [stable]
+ 
+ ** ftpd, rcp, rlogin, rsh, rshd, uucpd
+diff --git a/THANKS b/THANKS
+index 8d1d3dbb..ef5f6063 100644
+--- a/THANKS
+++ b/THANKS
+@@ -9,6 +9,7 @@ In particular:
+   NIIBE Yutaka          (Security fixes & making talk finally work)
+   Nathan Neulinger       (tftpd)
+   Thomas Bushnell        (sockaddr sin_len field)
+  Ron Ben Yizhak         (reported privilege escalation via telnetd)
+ 
+ Please see version control logs and ChangeLog.? for full credits.
+ 
+diff --git a/telnetd/pty.c b/telnetd/pty.c
+index c727e7be..f3518049 100644
+--- a/telnetd/pty.c
+++ b/telnetd/pty.c
+@@ -130,6 +130,14 @@ start_login (char *host, int autologin, char *name)
+   if (!cmd)
+     fatal (net, "can't expand login command line");
+   argcv_get (cmd, "", &argc, &argv);
+
+  /* util-linux's "login" introduced an authentication bypass method
+   * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40.
+   * Clear it from the environment before executing "login" to prevent
+   * abuse via Telnet.
+   */
+  unsetenv ("CREDENTIALS_DIRECTORY");
+
+   execv (argv[0], argv);
+   syslog (LOG_ERR, "%s: %m\n", cmd);
+   fatalperror (net, cmd);
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
index 486878022f..6c53902356 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
           file://tftpd.xinetd.inetutils \
           file://CVE-2026-24061-1.patch \
           file://CVE-2026-24061-2.patch \
+           file://CVE-2026-28372.patch \
           "
 inherit autotools gettext update-alternatives texinfo
author	Peter Marko <peter.marko@siemens.com>	2026-03-05 19:51:13 +0100
committer	Paul Barker <paul@pbarker.dev>	2026-03-25 17:34:13 +0000
commit	6d3b13d2cce757d5fa3c529418ab974642067a6e (patch)
tree	7d4eecea78dbb62680d539c6fca4d349cac3fdfe /meta
parent	d9f03b7c82101ae64aa79a2f9aa44afd7c8ffc4c (diff)
download	poky-6d3b13d2cce757d5fa3c529418ab974642067a6e.tar.gz

diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch new file mode 100644 index 0000000000..4e6bf0c87c --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch
@@ -0,0 +1,86 @@
		1	From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001
		2	From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
		3	Date: Sun, 15 Feb 2026 15:38:50 +0100
		4	Subject: [PATCH] telnetd: don't allow systemd service credentials
		5
		6	The login(1) implementation of util-linux added support for
		7	systemd service credentials in release 2.40. This allows to
		8	bypass authentication by specifying a directory name in the
		9	environment variable CREDENTIALS_DIRECTORY. If this directory
		10	contains a file named 'login.noauth' with the content of 'yes',
		11	login(1) skips authentication.
		12
		13	GNU Inetutils telnetd supports to set arbitrary environment
		14	variables using the 'Environment' and 'New Environment'
		15	Telnet options. This allows specifying a directory containing
		16	'login.noauth'. A local user can create such a directory
		17	and file, and, e.g., specify the user name 'root' to escalate
		18	privileges.
		19
		20	This problem was reported by Ron Ben Yizhak in
		21	<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
		22
		23	This commit clears CREDENTIALS_DIRECTORY from the environment
		24	before executing login(1) to implement a simple fix that can
		25	be backported easily.
		26
		27	* NEWS.md: Mention fix.
		28	* THANKS: Mention Ron Ben Yizhak.
		29	* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment
		30	before executing 'login'.
		31
		32	CVE: CVE-2026-28372
		33	Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386]
		34	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		35	---
		36	NEWS \| 5 +++++
		37	THANKS \| 1 +
		38	telnetd/pty.c \| 8 ++++++++
		39	3 files changed, 14 insertions(+)
		40
		41	diff --git a/NEWS b/NEWS
		42	index 877ca53b..f5172a71 100644
		43	--- a/NEWS
		44	+++ b/NEWS
		45	@@ -1,5 +1,10 @@
		46	GNU inetutils NEWS -- history of user-visible changes.
		47
		48	+** Prevent privilege escalation via telnetd abusing systemd service
		49	+credentials support added to the login(1) implementation of util-linux
		50	+in release 2.40. Reported by Ron Ben Yizhak in
		51	+<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
		52	+
		53	* Noteworthy changes in release 2.5 (2023-12-29) [stable]
		54
		55	** ftpd, rcp, rlogin, rsh, rshd, uucpd
		56	diff --git a/THANKS b/THANKS
		57	index 8d1d3dbb..ef5f6063 100644
		58	--- a/THANKS
		59	+++ b/THANKS
		60	@@ -9,6 +9,7 @@ In particular:
		61	NIIBE Yutaka (Security fixes & making talk finally work)
		62	Nathan Neulinger (tftpd)
		63	Thomas Bushnell (sockaddr sin_len field)
		64	+ Ron Ben Yizhak (reported privilege escalation via telnetd)
		65
		66	Please see version control logs and ChangeLog.? for full credits.
		67
		68	diff --git a/telnetd/pty.c b/telnetd/pty.c
		69	index c727e7be..f3518049 100644
		70	--- a/telnetd/pty.c
		71	+++ b/telnetd/pty.c
		72	@@ -130,6 +130,14 @@ start_login (char host, int autologin, char name)
		73	if (!cmd)
		74	fatal (net, "can't expand login command line");
		75	argcv_get (cmd, "", &argc, &argv);
		76	+
		77	+ /* util-linux's "login" introduced an authentication bypass method
		78	+ * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40.
		79	+ * Clear it from the environment before executing "login" to prevent
		80	+ * abuse via Telnet.
		81	+ */
		82	+ unsetenv ("CREDENTIALS_DIRECTORY");
		83	+
		84	execv (argv[0], argv);
		85	syslog (LOG_ERR, "%s: %m\n", cmd);
		86	fatalperror (net, cmd);


diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb index 486878022f..6c53902356 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
20	file://tftpd.xinetd.inetutils \	20	file://tftpd.xinetd.inetutils \
21	file://CVE-2026-24061-1.patch \	21	file://CVE-2026-24061-1.patch \
22	file://CVE-2026-24061-2.patch \	22	file://CVE-2026-24061-2.patch \
		23	file://CVE-2026-28372.patch \
23	"	24	"
24		25
25	inherit autotools gettext update-alternatives texinfo	26	inherit autotools gettext update-alternatives texinfo