oss-security - Re: Some telnet clients leak environment variables

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <abQO9W_P5gstPcXT@symphytum.spacehopper.org>
Date: Fri, 13 Mar 2026 13:19:49 +0000
From: Stuart Henderson <stu@...cehopper.org>
To: oss-security@...ts.openwall.com
Subject: Re: Some telnet clients leak environment variables

On 2026/03/13 06:37, Justin Swartz wrote:
>   OpenBSD 7.8 [PARTIAL LEAKAGE]
>   
>   The client blocks most variables which have not been explicitly
>   exported, but potentially sensitive variables such as DISPLAY,
>   XAUTHORITY and PRINTER are leaked without prior export.

ha, we've had that for a long time.

---------------------
Date: 2005/02/27 15:46:42
Author: otto
Branch: HEAD
Tag: OPENBSD_3_7_BASE
Log:
- only send exported vars (based on a diff from Solar Designer)
- fix some buffer overflows (also some Solar Designer input)

ok deraadt@ cloder@

Members:
        authenc.c:1.6->1.7
        commands.c:1.47->1.48
        externs.h:1.13->1.14
        telnet.c:1.18->1.19
---------------------

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.