CVE-2023-40303: unchecked return values of set*id() family functions in GNU inetutils

GNU inetutils do not check return values of set*id() family functions, leading to potential privilege escalations in binaries such as ftpd or rcpd.


  • 01/07/2023: Inetutils maintainers contacted, draft patch sent
  • 03/07/2023: Maintainers first response
  • 31/07/2023: Patch fixed and accepted
  • 14/08/2023: CVE-2023-40303 assigned

GNU inetutils

GNU inetutils is a set of network utilities: Inetutils - Network utilities - GNU Project - Free Software Foundation maintained by the Free Software Foundation (FSF). Popular binaries of inetutils in GNU Linux distributions are implementations of network protocols clients: ftp, telnet, tftp, whois… And their server counterparts: ftpd, tftpd, telnetd


I wrote a more generic article On checking set*id() return values earlier this summer on these type of issues. The occurrences in GNU inetutils are textbook cases.

The security impact here is quite dependent on which of the unchecked return value set*id call you pick but it can lead to privilege escalation under particular conditions. Some of the vulnerable binaries are server daemons, opening the gate to remote exploitation.

The following binaries contain vulnerable calls: ftpd, rcp, rlogin, rsh, rshd, and uucpd.


This issue is currently fixed in the master branch of GNU inetutils (inetutils.git - GNU Inetutils) and will likely be released in the next version (2.5?).