Notified: May 23, 2000 Updated: September 26, 2000
After looking into the source code for Linux's netkit-telnet (version 0.16), I believe that it's not vulnerable to the PGPPASS problem. The client code that handles the ENVIRON option works okay if the server sends an empty list of variables (which means the client will send all "exported" environment variables), but fails miserably when a list of variable names is given. The code totally ignores ENV_VAR (which normally marks the start of a new env name), and when it comes across ENV_VALUE it will try to grok the variable name but stomps all over it with NUL bytes :-) So, to make a long story short, you can't use netkit-telnet to extract arbitrary variables from the user's environment. You can however retrieve exported variables. Unless the user does funny things in his .telnetrc file, the only variables exported should be USER, TERM and DISPLAY. So the damage that can be done with telnet: URLs is roughly the same as with rlogin: URLs. This does divulge some information, but only little more than an ident query would. My conclusion is that there's no urgent need to modify the rlogin and telnet clients in any way. In the long haul, browser vendors should probably rethink which URLs are allowed under which circumstances, and whether they require user confirmation (much like netscape's "you're about to enter a secure site").
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.