oss-security - Re: Telnetd Vulnerability Report

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <20260308100222.GA29407@openwall.com>
Date: Sun, 8 Mar 2026 11:02:22 +0100
From: Solar Designer <solar@...nwall.com>
To: Justin Swartz <justin.swartz@...ingedge.co.za>
Cc: oss-security@...ts.openwall.com, bug-inetutils@....org,
	collin.funk1@...il.com, simon@...efsson.org,
	auerswal@...x-ag.uni-kl.de, ron.benyizhak@...ebreach.com
Subject: Re: Telnetd Vulnerability Report

On Sun, Mar 08, 2026 at 11:41:47AM +0200, Justin Swartz wrote:
> On 2026-03-08 10:05, Solar Designer wrote:
> >On Sun, Mar 08, 2026 at 09:34:22AM +0200, Justin Swartz wrote:
> >>+is_env_var_allowed (const char *var, const char *val)
> >>+{
> >>+  const char * const *p;
> >
> >This second const here looks wrong as you're changing the value of this
> >pointer.  I suggested this syntax only for the array, where you used it
> >correctly.
> 
> That pointer isn't constant.

Oh, you're right, I was wrong.  It's a non-const pointer to a const
pointer to a const string.  Which is what we need here.

It's still uncommon in projects to const'ify string arrays like that,
but I think we should start doing that more.  So I hope this little
digression we had is helpful beyond these telnetd patches.

Thank you for posting the tests.

Alexander

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.