Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 22 Jun 2018, 06:00
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Vulnerabilities Found in Linux 'Beep' Tool. Affects Puppy??
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [5 Posts]  
Author Message
belham2

Joined: 15 Aug 2016
Posts: 1520

PostPosted: Mon 09 Apr 2018, 17:34    Post subject:  Vulnerabilities Found in Linux 'Beep' Tool. Affects Puppy??  

"....Several vulnerabilities have been found in the Linux command line tool Beep, including a potentially serious issue introduced by a patch for a privilege escalation flaw.

For well over a decade, Beep has been used by developers on Linux to get a computer’s internal speaker to produce a beep. What makes Beep useful for certain programs is the fact that it allows users to control the pitch, duration and repetitions of the sound. The open source application has not received any updates since 2013.

An unnamed researcher discovered recently that Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root
......."



https://www.securityweek.com/vulnerabilities-found-linux-beep-tool
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2367

PostPosted: Mon 09 Apr 2018, 22:39    Post subject:  

Quote:
Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root

A safe at home full of money/gold is only as secure as your resilience to having your or family members fingers cut off one by one by a local intruder who wants to gain access to that safe.

Puppy is single user, so a local attacker gaining priv elevation is a bit like battering yourself on the head in order to get the root password knocked out of you. A intruder wouldn't bother with that, they'd just take the box/HDD and access the content indirectly.

Quote:
Affects Puppy??

Sortof - theoretically/conceptually, but in practice looks like it could just be ignored.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1520

PostPosted: Tue 10 Apr 2018, 06:05    Post subject:  

rufwoof wrote:
Quote:
Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root

A safe at home full of money/gold is only as secure as your resilience to having your or family members fingers cut off one by one by a local intruder who wants to gain access to that safe.

Puppy is single user, so a local attacker gaining priv elevation is a bit like battering yourself on the head in order to get the root password knocked out of you. A intruder wouldn't bother with that, they'd just take the box/HDD and access the content indirectly.

Quote:
Affects Puppy??

Sortof - theoretically/conceptually, but in practice looks like it could just be ignored.



LOL. I was sort of thinking this, but wasn't sure, so thus I posted here.

I'm getting to really, really, REALLY dislike this whole cottage industry of finding potential/possible bugs. The industry needs to rethink this. According to well established science, you can never prove something is 100% true (a secure OS, for example) but one sure can prove something is false or a negative (finding "potential" holes). Or, a better analogy, walk into a hospital & they are bound, after enough tests are run & performed, to either find something wrong with you (which has no bearing on your life) or they will "potentially" find something wrong with you (again, with no bearing on one's life).

Of course, I write all this now, and I just summarily cursed us all as the most horrible, destructive Linux malware ever seen is history is going to be unleashed from "beep". Sad
Back to top
View user's profile Send private message 
darry19662018

Joined: 31 Mar 2018
Posts: 184

PostPosted: Tue 10 Apr 2018, 06:11    Post subject:  

I think it is good to read these access the risk and make one's own mind up.

Thank you Belham for info.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1570
Location: N.E. USA

PostPosted: Sun 15 Apr 2018, 23:26    Post subject:  

I see that a race condition exists... this is codeword for Meltdown.Spectre vunerability. The racing occurs between the original command and the Out-of-Order-Execution cache. In simple language (I think). This is why some people want Intel to simply put out new CPUs w/o speculating caches. SO MUCH software needs patching, even simple stuff like beep. Without such caches the command HAS to be directly addressed without branching (speculating) upon the next bits of data.

FWIW
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [5 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1057s ][ Queries: 14 (0.0108s) ][ GZIP on ]