"The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter," wrote GNU contributor Simon Josefsson.

"If the client supply [sic] a carefully crafted USER environment value being the string '-f root', and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes."

Ouch.