Remote authentication bypass in telnetd

One would assume that most LWN readers stopped running network-accessible
telnet services some number of decades ago. For the rest of you, this security advisory from
Simon Josefsson is worthy of note:

The telnetd server invokes /usr/bin/login (normally running as
root) passing the value of the USER environment variable received
from the client as the last parameter.

If the client supplies a carefully crafted USER environment value
being the string “-f root”, and passes the telnet(1) -a or –login
parameter to send this USER environment to the server, the client
will be automatically logged in as root bypassing normal
authentication processes.