SoylentNews is people
SoylentNews
One of the silliest bugs on record emerged late last week, when Debian project leader Chris Lamb took to the distro's security to post an advisory that the little [beep] utility had a local privilege escalation vulnerability.
The utility lets either a command line user control a PC's speaker, or – more usefully – a program can pipe the command out to the command line to tell the user something's happened. If, of course, their machines still have a beeper-speaker, which is increasingly rare and raises the question why the utility still exists. Since beep isn't even installed by default, it's not hard to see the issue would have gone un-noticed.
News of the bug emerged at holeybeep.ninja/, a site that combines news of the bug with attempts at satirising those who brand bugs and put up websites about them.
But the joke's on holeybeep.ninja because according to the discussion at the Debian mailing list, the fix the site provided didn't fix all of beep's problems. As Tony Hoyle wrote: “The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn't do it as root, but people are people) … It's concerning that the holeybeep.ninja site exploited an unrelated fault for 'fun' without apparently telling anyone.”
German security researcher and journalist Hanno Böck alerted the OSS-sec list to further issues on Sunday.
[...] Böck's note also linked to an integer overflow and a bug in the patch supposed to fix the original issue.
As a result, Böck wrote, beep should probably be discarded: it needs a proper code review, and there's no much point to the effort “for a tool talking to the PC speaker, which doesn't exist in most modern systems anyway.
(Score: 2) by Subsentient on Tuesday April 10 2018, @02:14AM (10 children)
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 4, Insightful) by frojack on Tuesday April 10 2018, @02:24AM (8 children)
And every mother board I've handled in the last decade still had a beeper, not a speaker, just a tiny beeper.
Even blade server boards have these.
Maybe Mr Tony Hoyle should look inside his machine some day.
No, you are mistaken. I've always had this sig.
(Score: 2) by Whoever on Tuesday April 10 2018, @03:40AM (7 children)
My desktop has a "speaker", but my two mini-ITX systems don't . I don't recall there being a speaker in the box with the motherboards of the mini-ITX systems.
(Score: 3, Informative) by frojack on Tuesday April 10 2018, @05:01AM (5 children)
Maybe that's because you are still looking for that speaker, instead of a little black 1 cm component with a hole in the middle?
My it's has one.
No, you are mistaken. I've always had this sig.
(Score: 2) by Whoever on Tuesday April 10 2018, @05:06AM (4 children)
My desktop has one of those tiny components.
It's possible that my mini-ITX systems have something, but I could not hear any sound after installing and running "beep".
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @05:36AM (3 children)
Did you check your mixer? Is the volume up, is it unmuted?
For now it might be a good idea to not have this useful package installed.
(Score: 3, Insightful) by Whoever on Tuesday April 10 2018, @05:52AM (1 child)
The mixer and volume have nothing to do with the PC speaker.
(Score: 2) by zocalo on Tuesday April 10 2018, @09:20AM
UNIX? They're not even circumcised! Savages!
(Score: 2) by Whoever on Tuesday April 10 2018, @06:01AM
Also, not installed suid on my systems, so not vulnerable.
(Score: 2) by Wierd0n3 on Thursday April 12 2018, @01:30AM
My latest Atx build had a tiny jumper that plugged into the front panel pins, had 2 wires leading to the tiny speaker. whole thing was less than a inch long, doesn't attach to anything sturdy. came loose with the case.
(Score: 2, Insightful) by Anonymous Coward on Tuesday April 10 2018, @09:25AM
I actually use pidgin's integrated console beep support all the time, so I will have a noticable way to tell if someone is IMing me even if I disconnected my speakers to use on another system (You try having either 5 sets of speakers, or a chain of minijack cables strung between every system in your room/desk!) Barring that, although prone to less reliability, I can use nasd along with the snd-pcm-oss module to auplay sound notifications across the network to a central system which can notify me when messages are incoming. Compared to pulseaudio there are only a few prerequisites to nasd, and it installs on basically all my systems from modern, to 90s era.
I actually kind of wish we could get these 'gentrification techies' out of our community, so we would actually finish and debug tech before moving on to the next great thing. Given how little of the patchsets, changesets, and hardware gets thoroughly documented and debugged before getting thrown away, it feels like the entire tech community is basically a waste of time, since nothing ever really gets finished to a point where it could be considered 'mature'. Just look at Mesa for examples. The early mesa cards ALMOST got feature complete when they decided to drop DRI1. Around the time DRI2 drivers got complete we saw a push for DRI3. Now we're seeing a push to throw away OpenGL, right as feature parity is obtained and migrate everything to Vulkan. I appreciate new tech. I just don't appreciate old tech being thrown out before I can even enjoy having it feature complete, FINALLY.