Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday April 10 2018, @01:47AM   Printer-friendly
from the who's-a-fool-now? dept.

One of the silliest bugs on record emerged late last week, when Debian project leader Chris Lamb took to the distro's security to post an advisory that the little [beep] utility had a local privilege escalation vulnerability.

The utility lets either a command line user control a PC's speaker, or – more usefully – a program can pipe the command out to the command line to tell the user something's happened. If, of course, their machines still have a beeper-speaker, which is increasingly rare and raises the question why the utility still exists. Since beep isn't even installed by default, it's not hard to see the issue would have gone un-noticed.

News of the bug emerged at holeybeep.ninja/, a site that combines news of the bug with attempts at satirising those who brand bugs and put up websites about them.

But the joke's on holeybeep.ninja because according to the discussion at the Debian mailing list, the fix the site provided didn't fix all of beep's problems. As Tony Hoyle wrote: “The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn't do it as root, but people are people) … It's concerning that the holeybeep.ninja site exploited an unrelated fault for 'fun' without apparently telling anyone.”

German security researcher and journalist Hanno Böck alerted the OSS-sec list to further issues on Sunday.

[...] Böck's note also linked to an integer overflow and a bug in the patch supposed to fix the original issue.

As a result, Böck wrote, beep should probably be discarded: it needs a proper code review, and there's no much point to the effort “for a tool talking to the PC speaker, which doesn't exist in most modern systems anyway.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Whoever on Tuesday April 10 2018, @05:06AM (4 children)

    by Whoever (4524) on Tuesday April 10 2018, @05:06AM (#664831) Journal

    My desktop has one of those tiny components.

    It's possible that my mini-ITX systems have something, but I could not hear any sound after installing and running "beep".

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Tuesday April 10 2018, @05:36AM (3 children)

    by Anonymous Coward on Tuesday April 10 2018, @05:36AM (#664836)

    Did you check your mixer? Is the volume up, is it unmuted?

    For now it might be a good idea to not have this useful package installed.

    • (Score: 3, Insightful) by Whoever on Tuesday April 10 2018, @05:52AM (1 child)

      by Whoever (4524) on Tuesday April 10 2018, @05:52AM (#664841) Journal

      Did you check your mixer? Is the volume up, is it unmuted?

      The mixer and volume have nothing to do with the PC speaker.

      • (Score: 2) by zocalo on Tuesday April 10 2018, @09:20AM

        by zocalo (302) on Tuesday April 10 2018, @09:20AM (#664871)
        Depends on the mixer app. Some do include an additional control slider that lets you mute and set the volume of the internal speaker as well as any dedicated audio hardware, and it's not at all uncommon for them to mute the PC speaker by default, or to hook calls to the system beep to the audio hardware instead, when they add the extra control - which is convenient if you still use the PC speaker for anything. It's definitely worth checking, although you might need to open the full mixer panel and check that the PC speaker control isn't hidden by default, which is not so convenient if you still use the PC speaker for anything and it suddenly goes mute.
        --
        UNIX? They're not even circumcised! Savages!
    • (Score: 2) by Whoever on Tuesday April 10 2018, @06:01AM

      by Whoever (4524) on Tuesday April 10 2018, @06:01AM (#664843) Journal

      Also, not installed suid on my systems, so not vulnerable.