beep version 1.3 and up contains a External Control of File Name or Path vulnerability in --device option that can result in Local unprivileged user can inhibit execution of arbitrary programs by other users, allowing DoS. This attack appear to be exploitable via The system must allow local users to run beep. Gentoo Security Scout Florian Schuhmacher
FYI Comment on the Link (in URL Field) ndim commented on Jan 14 Given the lack of activity in this code repositiory since 2013, I have taken up the codebase, fixed a number of issues including the two CVEs (CVE-2018-0492 and CVE-2018-1000532) we have discussed here, and put it up on https://github.com/spkr-beep/beep with release 1.4.2 being current.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=370f5643e13ef95e78e692752626e5c0391b10ef commit 370f5643e13ef95e78e692752626e5c0391b10ef Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2019-04-27 21:06:10 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-04-27 23:03:09 +0000 app-misc/beep: version bump. Bug: https://bugs.gentoo.org/659338 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 Closes: https://github.com/gentoo/gentoo/pull/11845 Signed-off-by: Aaron Bauman <bman@gentoo.org> app-misc/beep/Manifest | 1 + app-misc/beep/beep-1.4.4.ebuild | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6569e6455dae2d9786dbb473550396486f83b5dc commit 6569e6455dae2d9786dbb473550396486f83b5dc Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-04-29 21:02:16 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-04-29 21:02:16 +0000 Revert "app-misc/beep: version bump." This reverts commit 370f5643e13ef95e78e692752626e5c0391b10ef. * PR was merged from a fellow developer who I was not aware of being under a QA ban. * PR addressed an outstanding security issue with app-misc/beep hence the merge. * Reverted per the QA bug being opened. Bug: https://bugs.gentoo.org/684728 Bug: https://bugs.gentoo.org/659338 Signed-off-by: Aaron Bauman <bman@gentoo.org> app-misc/beep/Manifest | 1 - app-misc/beep/beep-1.4.4.ebuild | 38 -------------------------------------- 2 files changed, 39 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57f54cc39bb49a0f898b74644607658d950f514d commit 57f54cc39bb49a0f898b74644607658d950f514d Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-25 17:30:47 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-25 17:30:59 +0000 app-misc/beep: bump to v1.4.9 Bug: https://bugs.gentoo.org/659338 Closes: https://bugs.gentoo.org/684600 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-misc/beep/Manifest | 1 + app-misc/beep/beep-1.4.9.ebuild | 59 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+)
GLSA Vote: No
amd64 stable
ppc stable
ppc64 stable
x86 stable
arm stable
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
sparc was missed...
sparc stable. Last arch, closing.
(In reply to Rolf Eike Beer from comment #13) > sparc stable. Last arch, closing. Security bug ;) ---- @maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df371339089f4ceaa1674776d4ba105c3db8f021 commit df371339089f4ceaa1674776d4ba105c3db8f021 Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2020-06-23 07:27:30 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2020-06-23 07:27:57 +0000 app-misc/beep: remove vulnerable version. Bug: https://bugs.gentoo.org/659338 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> app-misc/beep/Manifest | 1 - app-misc/beep/beep-1.3-r3.ebuild | 37 ------------------------------------- app-misc/beep/beep-1.4.9.ebuild | 2 +- 3 files changed, 1 insertion(+), 39 deletions(-)
Thanks! All done.