security/mit-krb5/patches/patch-ai


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

$NetBSD: patch-ai,v 1.4 2008/06/07 20:22:18 tonnerre Exp $

--- appl/telnet/telnetd/sys_term.c.orig	2008-06-07 15:55:51.000000000 +0200
+++ appl/telnet/telnetd/sys_term.c
@@ -1287,6 +1287,16 @@ start_login(host, autologin, name)
 #endif
 #if	defined (AUTHENTICATION)
 	if (auth_level >= 0 && autologin == AUTH_VALID) {
+		if (name[0] == '-') {
+			/* Authenticated and authorized to log in to an
+			   account starting with '-'?  Even if that
+			   unlikely case comes to pass, the current login
+			   program will not parse the resulting command
+			   line properly.  */
+			syslog(LOG_ERR, "user name cannot start with '-'");
+			fatal(net, "user name cannot start with '-'");
+			exit(1);
+		}
 # if	!defined(NO_LOGIN_F)
 #if	defined(LOGIN_CAP_F)
 		argv = addarg(argv, "-F");
@@ -1377,12 +1387,20 @@ start_login(host, autologin, name)
 	} else
 #endif
 	if (getenv("USER")) {
-		argv = addarg(argv, getenv("USER"));
+		char *user = getenv("USER");
+		if (user[0] == '-') {
+			/* "telnet -l-x ..." */
+			syslog(LOG_ERR, "user name cannot start with '-'");
+			fatal(net, "user name cannot start with '-'");
+			exit(EXIT_FAILURE);
+		}
+		argv = addarg(argv, user);
 #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
 		{
 			register char **cpp;
 			for (cpp = environ; *cpp; cpp++)
-				argv = addarg(argv, *cpp);
+				if ((*cpp)[0] != '-')
+					argv = addarg(argv, *cpp);
 		}
 #endif
 		/*