"....Several vulnerabilities have been found in the Linux command line tool Beep, including a potentially serious issue introduced by a patch for a privilege escalation flaw.
For well over a decade, Beep has been used by developers on Linux to get a computer’s internal speaker to produce a beep. What makes Beep useful for certain programs is the fact that it allows users to control the pitch, duration and repetitions of the sound. The open source application has not received any updates since 2013.
An unnamed researcher discovered recently that Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root......."
https://www.securityweek.com/vulnerabil ... -beep-tool
Vulnerabilities Found in Linux 'Beep' Tool. Affects Puppy??
A safe at home full of money/gold is only as secure as your resilience to having your or family members fingers cut off one by one by a local intruder who wants to gain access to that safe.Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root
Puppy is single user, so a local attacker gaining priv elevation is a bit like battering yourself on the head in order to get the root password knocked out of you. A intruder wouldn't bother with that, they'd just take the box/HDD and access the content indirectly.
Sortof - theoretically/conceptually, but in practice looks like it could just be ignored.Affects Puppy??
rufwoof wrote:A safe at home full of money/gold is only as secure as your resilience to having your or family members fingers cut off one by one by a local intruder who wants to gain access to that safe.Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root
Puppy is single user, so a local attacker gaining priv elevation is a bit like battering yourself on the head in order to get the root password knocked out of you. A intruder wouldn't bother with that, they'd just take the box/HDD and access the content indirectly.
Sortof - theoretically/conceptually, but in practice looks like it could just be ignored.Affects Puppy??
LOL. I was sort of thinking this, but wasn't sure, so thus I posted here.
I'm getting to really, really, REALLY dislike this whole cottage industry of finding potential/possible bugs. The industry needs to rethink this. According to well established science, you can never prove something is 100% true (a secure OS, for example) but one sure can prove something is false or a negative (finding "potential" holes). Or, a better analogy, walk into a hospital & they are bound, after enough tests are run & performed, to either find something wrong with you (which has no bearing on your life) or they will "potentially" find something wrong with you (again, with no bearing on one's life).
Of course, I write all this now, and I just summarily cursed us all as the most horrible, destructive Linux malware ever seen is history is going to be unleashed from "beep".
-
- Posts: 721
- Joined: Sat 31 Mar 2018, 08:01
- Location: Rakaia
- Contact:
I see that a race condition exists... this is codeword for Meltdown.Spectre vunerability. The racing occurs between the original command and the Out-of-Order-Execution cache. In simple language (I think). This is why some people want Intel to simply put out new CPUs w/o speculating caches. SO MUCH software needs patching, even simple stuff like beep. Without such caches the command HAS to be directly addressed without branching (speculating) upon the next bits of data.
FWIW
8Geee
FWIW
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."