This article is more than 1 year old
Linux Beep bug joke backfires as branded fix falls short
PCs don't have beepers any more, but code to make' em sound off lets you see files
Retro programmers may need to reconsider using the Linux
beep command as an activity or progress alert.
One of the silliest bugs on record emerged late last week, when Debian project leader Chris Lamb took to the distro's security to post an advisory that the little utility had a local privilege escalation vulnerability.
The utility lets either a command line user control a PC's speaker, or – more usefully – a program can pipe the command out to the command line to tell the user something's happened.
If, of course, their machines still have a beeper-speaker, which is increasingly rare and raises the question why the utility still exists. Since
beep isn't even installed by default, it's not hard to see the issue would have gone un-noticed.
News of the bug emerged at holeybeep.ninja/, a site that combines news of the bug with attempts at satirising those who brand bugs and put up websites about them.
But the joke's on holeybeep.ninja because according to the discussion at the Debian mailing list, the fix the site provided didn't fix all of
As Tony Hoyle wrote: “The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn't do it as root, but people are people) … It's concerning that the holeybeep.ninja site exploited an unrelated fault for 'fun' without apparently telling anyone.”
German security researcher and journalist Hanno Böck alerted the OSS-sec list to further issues on Sunday.
Böck listed an information disclosure bug in which
beep “opens arbitrary files for write as root, bypassing file permissions”.
Debian's Rhonda D'Vine wrote this reveals the existence of files normally hidden from the user, and: “If a file has side effects when opened,
beep allows the calling user to trigger those side effects even if they are not authorised to do so. Jakub Wilk pointed out that named pipes and tape devices are affected.”
Böck's note also linked to an integer overflow and a bug in the patch supposed to fix the original issue.
As a result, Böck wrote,
beep should probably be discarded: it needs a proper code review, and there's no much point to the effort “for a tool talking to the PC speaker, which doesn't exist in most modern systems anyway. ®