One of the silliest bugs on record emerged late last week, when Debian project leader Chris Lamb took to the distro's security to post an advisory that the little [beep] utility had a local privilege escalation vulnerability.
The utility lets either a command line user control a PC's speaker, or – more usefully – a program can pipe the command out to the command line to tell the user something's happened. If, of course, their machines still have a beeper-speaker, which is increasingly rare and raises the question why the utility still exists. Since beep isn't even installed by default, it's not hard to see the issue would have gone un-noticed.
News of the bug emerged at holeybeep.ninja/, a site that combines news of the bug with attempts at satirising those who brand bugs and put up websites about them.
But the joke's on holeybeep.ninja because according to the discussion at the Debian mailing list, the fix the site provided didn't fix all of beep's problems. As Tony Hoyle wrote: “The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn't do it as root, but people are people) … It's concerning that the holeybeep.ninja site exploited an unrelated fault for 'fun' without apparently telling anyone.”
German security researcher and journalist Hanno Böck alerted the OSS-sec list to further issues on Sunday.
[...] Böck's note also linked to an integer overflow and a bug in the patch supposed to fix the original issue.
As a result, Böck wrote, beep should probably be discarded: it needs a proper code review, and there's no much point to the effort “for a tool talking to the PC speaker, which doesn't exist in most modern systems anyway.
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday April 10, @02:03AM (5 children)
One of the first things I do on installing a distro is make sure the pcspkr module is loaded so i have an audible terminal bell even if I don't have a sound card. Then I install beep if it isn't already so I can have the box notify me of something even should it be headless.
Now with #freearistarchus! Not 10% off. Not 50% off. Not even 90% off. Free!
(Score: 2) by Subsentient on Tuesday April 10, @02:14AM (1 child)
(Score: 2) by Subsentient on Tuesday April 10, @02:14AM (1 child)
(Score: 3, Interesting) by frojack on Tuesday April 10, @02:24AM
And every mother board I've handled in the last decade still had a beeper, not a speaker, just a tiny beeper.
Even blade server boards have these.
Maybe Mr Tony Hoyle should look inside his machine some day.
No, you are mistaken. I've always had this sig.
(Score: 2) by Arik on Tuesday April 10, @02:49AM
Beep is one of the most useful packages in the distro. I didn't read the article yet but just based on the last line of the summary here this Böck has clearly risen to his level of utter incompetence, just as Peter predicted.
"Unix? These savages aren't even circumcised!"
(Score: 2) by edIII on Tuesday April 10, @03:03AM (1 child)
I guess it's been awhile since I've been on the hardware side of things, but is the beep a system makes during post separate from the PC speaker? I was going to say it's very useful on a headless system to hear the system post if you restart it. Just about every system I touch still makes a beep on a startup, so why wouldn't the beep utility use that instead?
(Score: 2) by The Mighty Buzzard on Tuesday April 10, @03:19AM
That's the speaker beep uses, yes. Being able to tell it to beep in a certain way if certain things happen is something many folks find useful still.
Now with #freearistarchus! Not 10% off. Not 50% off. Not even 90% off. Free!