I don’t think I’ve ever seen Haiku in a CVE discussion before, but watchTowr included Haiku among the systems that they tested which include the flawed code from GNU inetutils.
So, nifty to see Haiku is on their list of systems to check; sad to see it came up as vulnerable.
Haiku includes telnetd from FreeBSD, which doesn’t maintain it anymore. There isn’t a license friendly patch available for this version, only for the GNU inetutils one.
How about replacing it with the Toybox (0BSD license) version?
https://github.com/landley/toybox/blob/master/toys/pending/telnetd.c
Note that it might need polishing.
Is there any valid reason to not entirely remove telnetd from the Haiku default installation?
I looked into this a bit more,the article was really interesting with all the technical details,but I think it’s not true that Haiku is affected.
I tested it with the testing tool from GitHub - watchtowrlabs/watchtowr-vs-telnetd-CVE-2026-32746 · GitHub and it reported that LINEMODE is not supported.
That’s because telnetd on Haiku seems to be built without LINEMODE support.
The code section in question that contains the vulnerability is hidden behind #ifdef LINEMODE but LINEMODE is never defined within the code.
Additionally to this,the Telnet server is disabled by default so that you can’t exploit any random Haiku installation,even if it was affected by the bug.
I really don’t understand calls for removing existing functionality that works perfectly fine or replacing the whole telnetd with another implementation when there are zero reasons for that.
Fixing our current telnetd implementation if it’s built with LINEMODE support is a matter of adding a single if statement in the code,and the article even links directly to the line where that if statement needs to be.
Still testing a few things,will compile haiku.hpkg with LINEMODE enabled to see if I can reproduce the vulnerability then,and will then push a fix soon.
If the Haiku version is not affected, there is indeed no need for replacing. Thanks for testing.
The fix is located in a GPL source code, thus I don’t know whether it can simply picked up.
It’s a single if line that can be written purely based on the descriptions of the article without directly reading the GPL code.
Thinking of threshold of originality,I doubt a single-line patch that’s so simple can be copyrighted.
Nevermind,one can’t even easily build telnetd with LINEMODE enabled because that leads to other errors.
We don’t have the termios c_lflag called EXTPROC needed in sys_term.c line 434.
Neither do we have the TIOCPKT_IOCTL needed in telnetd.c line 1101.
That all first needs to be fixed before we can enable the code that makes Haiku vulnerable to the CVE,therefore I’d say we’re pretty safe.
So, what should we do? Tell watchtowr they’re wrong and they should remove Haiku from the list of affected systems? Or enjoy the exposure?
Definitely enjoy the exposure. We’re in some illustrious company here.