One of the silliest bugs on record emerged late last week, when Debian project leader Chris Lamb took to the distro's security to post an advisory that the little [beep] utility had a local privilege escalation vulnerability.
The utility lets either a command line user control a PC's speaker, or – more usefully – a program can pipe the command out to the command line to tell the user something's happened. If, of course, their machines still have a beeper-speaker, which is increasingly rare and raises the question why the utility still exists. Since beep isn't even installed by default, it's not hard to see the issue would have gone un-noticed.
News of the bug emerged at holeybeep.ninja/, a site that combines news of the bug with attempts at satirising those who brand bugs and put up websites about them.
But the joke's on holeybeep.ninja because according to the discussion at the Debian mailing list, the fix the site provided didn't fix all of beep's problems. As Tony Hoyle wrote: “The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn't do it as root, but people are people) … It's concerning that the holeybeep.ninja site exploited an unrelated fault for 'fun' without apparently telling anyone.”
German security researcher and journalist Hanno Böck alerted the OSS-sec list to further issues on Sunday.
[...] Böck's note also linked to an integer overflow and a bug in the patch supposed to fix the original issue.
As a result, Böck wrote, beep should probably be discarded: it needs a proper code review, and there's no much point to the effort “for a tool talking to the PC speaker, which doesn't exist in most modern systems anyway.
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday April 10 2018, @02:03AM (16 children)
One of the first things I do on installing a distro is make sure the pcspkr module is loaded so i have an audible terminal bell even if I don't have a sound card. Then I install beep if it isn't already so I can have the box notify me of something even should it be headless.
My rights don't end where your fear begins.
(Score: 2) by Subsentient on Tuesday April 10 2018, @02:14AM (10 children)
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 4, Insightful) by frojack on Tuesday April 10 2018, @02:24AM (8 children)
And every mother board I've handled in the last decade still had a beeper, not a speaker, just a tiny beeper.
Even blade server boards have these.
Maybe Mr Tony Hoyle should look inside his machine some day.
No, you are mistaken. I've always had this sig.
(Score: 2) by Whoever on Tuesday April 10 2018, @03:40AM (7 children)
My desktop has a "speaker", but my two mini-ITX systems don't . I don't recall there being a speaker in the box with the motherboards of the mini-ITX systems.
(Score: 3, Informative) by frojack on Tuesday April 10 2018, @05:01AM (5 children)
Maybe that's because you are still looking for that speaker, instead of a little black 1 cm component with a hole in the middle?
My it's has one.
No, you are mistaken. I've always had this sig.
(Score: 2) by Whoever on Tuesday April 10 2018, @05:06AM (4 children)
My desktop has one of those tiny components.
It's possible that my mini-ITX systems have something, but I could not hear any sound after installing and running "beep".
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @05:36AM (3 children)
Did you check your mixer? Is the volume up, is it unmuted?
For now it might be a good idea to not have this useful package installed.
(Score: 3, Insightful) by Whoever on Tuesday April 10 2018, @05:52AM (1 child)
The mixer and volume have nothing to do with the PC speaker.
(Score: 2) by zocalo on Tuesday April 10 2018, @09:20AM
UNIX? They're not even circumcised! Savages!
(Score: 2) by Whoever on Tuesday April 10 2018, @06:01AM
Also, not installed suid on my systems, so not vulnerable.
(Score: 2) by Wierd0n3 on Thursday April 12 2018, @01:30AM
My latest Atx build had a tiny jumper that plugged into the front panel pins, had 2 wires leading to the tiny speaker. whole thing was less than a inch long, doesn't attach to anything sturdy. came loose with the case.
(Score: 2, Insightful) by Anonymous Coward on Tuesday April 10 2018, @09:25AM
I actually use pidgin's integrated console beep support all the time, so I will have a noticable way to tell if someone is IMing me even if I disconnected my speakers to use on another system (You try having either 5 sets of speakers, or a chain of minijack cables strung between every system in your room/desk!) Barring that, although prone to less reliability, I can use nasd along with the snd-pcm-oss module to auplay sound notifications across the network to a central system which can notify me when messages are incoming. Compared to pulseaudio there are only a few prerequisites to nasd, and it installs on basically all my systems from modern, to 90s era.
I actually kind of wish we could get these 'gentrification techies' out of our community, so we would actually finish and debug tech before moving on to the next great thing. Given how little of the patchsets, changesets, and hardware gets thoroughly documented and debugged before getting thrown away, it feels like the entire tech community is basically a waste of time, since nothing ever really gets finished to a point where it could be considered 'mature'. Just look at Mesa for examples. The early mesa cards ALMOST got feature complete when they decided to drop DRI1. Around the time DRI2 drivers got complete we saw a push for DRI3. Now we're seeing a push to throw away OpenGL, right as feature parity is obtained and migrate everything to Vulkan. I appreciate new tech. I just don't appreciate old tech being thrown out before I can even enjoy having it feature complete, FINALLY.
(Score: 2) by Arik on Tuesday April 10 2018, @02:49AM (2 children)
Beep is one of the most useful packages in the distro. I didn't read the article yet but just based on the last line of the summary here this Böck has clearly risen to his level of utter incompetence, just as Peter predicted.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by TheRaven on Tuesday April 10 2018, @03:55PM (1 child)
sudo mod me up
(Score: 2) by Arik on Tuesday April 10 2018, @04:57PM
Seriously?
:facedesk:
If laughter is the best medicine, who are the best doctors?
(Score: 2) by edIII on Tuesday April 10 2018, @03:03AM (1 child)
I guess it's been awhile since I've been on the hardware side of things, but is the beep a system makes during post separate from the PC speaker? I was going to say it's very useful on a headless system to hear the system post if you restart it. Just about every system I touch still makes a beep on a startup, so why wouldn't the beep utility use that instead?
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Informative) by The Mighty Buzzard on Tuesday April 10 2018, @03:19AM
That's the speaker beep uses, yes. Being able to tell it to beep in a certain way if certain things happen is something many folks find useful still.
My rights don't end where your fear begins.
(Score: 3, Informative) by Anonymous Coward on Tuesday April 10 2018, @04:18AM (5 children)
The unrelated fault is in patch. diff can include ed commands, FreeBSD and others fixed it time ago. But not everyone, so instead of only letting ed commands that make sense as POSIX says, the patch command allows shells or anything that ed can do. THIS ONE IS SERIOUS and part of the website "joke". The whole thing looks like a metaprank, with lot's of stupid links in the page and the trojaned diff file. But it could had been used to sneak serious shit into developer machines. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894993 [debian.org]
Download https://holeybeep.ninja/beep.patch [holeybeep.ninja] and look for:
--- /dev/null 2018-13-37 13:37:37.000000000 +0100
+++ b/beep.c 2018-13-37 13:38:38.000000000 +0100
1337a
1,112d
!id>~/pwn.lol;beep # 13-21 12:53:21.000000000 +0100
.
--- a/beep.c 2018-13-27 12:53:21.000000000 +0100
+++ b/beep.c 2018-13-27 16:53:43.000000000 +0100
Hidden in plain sight ed commands, including shell (id and beep). If you didn't have ed, you dodged the bullet by random luck, otherwise p0wn3d. http://rachelbythebay.com/w/2018/04/05/bangpatch/ [rachelbythebay.com] I know some "developers" that don't really read diffs. Or run things in jails/VMs/whatevers. More and more this should be a reason to get fired from paid jobs or kicked out of voluntary FOSS projects (yes, it's boring to pay attention and follow special protocols, but no excuse).
Back to noisy thingies, yeah, lack of beeper sucks. My last box has none. The main board does have the pins, and also has a set of LEDs, so if something goes wrong, I have to open the side door, and hope it's handled by the LEDs and not only by the beeps, which are silent. OTOH, the system also has a sound card, and once things are up, alarm bell is routed via normal speakers. Including the one generated via beep cmd.
So NO, YOU BUNCH OF DEBIAN RETARDS, beep/alarm bell still has uses, because you don't use it doesn't mean everyone has to lose it.
They are fucking the project, really. They burnt the social contract years ago and are going me-me-me.
So fuck you-you-you.
(Score: 4, Informative) by maxwell demon on Tuesday April 10 2018, @05:10AM (3 children)
From the summary:
I cannot find any indication that Hanno Böck is in any way associated to Debian. Nor did I see any statement that people at Debian agree with that claim.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Funny) by Frost on Tuesday April 10 2018, @01:51PM (2 children)
They've already discarded beep, as it has been superceded by systemd-beep.
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @05:42PM
coffee meet nose during trip to keyboard ...
(Score: 2) by HiThere on Tuesday April 10 2018, @05:52PM
FWIW, beep is still in the repository, but I don't have it installed, so I can't tell whether it's installed SUID.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @03:14PM
This isn't a particularly serious problem, because of how patch files are typically used. If you are applying a malicious patch you are probably fucked anyway, because that patch is very likely modifying code that you intend to execute anyway after patch application. If the patch injected the commands (without using ed diffs at all) into the Makefile then the results would be pretty much the same -- or maybe even worse because Makefiles are very often run as root (e.g., sudo make install).
You have to trust your patches before you apply them.
(Score: 1) by crb3 on Tuesday April 10 2018, @05:29AM
Don't want no 3v!L3H@x0Rz sending lewd and lascivious Morse code messages from my server speakers.
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @05:43AM
We have millions of rather beefy machines sitting idle, should we instead use those cycles to make our tools more secure?
https://en.wikipedia.org/wiki/Fuzzing [wikipedia.org]