Vulnerabilities Found in Linux 'Beep' Tool. Affects Puppy??

[belham2]

"....Several vulnerabilities have been found in the Linux command line tool Beep, including a potentially serious issue introduced by a patch for a privilege escalation flaw.

For well over a decade, Beep has been used by developers on Linux to get a computer’s internal speaker to produce a beep. What makes Beep useful for certain programs is the fact that it allows users to control the pitch, duration and repetitions of the sound. The open source application has not received any updates since 2013.

An unnamed researcher discovered recently that Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root......."



https://www.securityweek.com/vulnerabil ... -beep-tool

[rufwoof]

Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root

A safe at home full of money/gold is only as secure as your resilience to having your or family members fingers cut off one by one by a local intruder who wants to gain access to that safe.

Puppy is single user, so a local attacker gaining priv elevation is a bit like battering yourself on the head in order to get the root password knocked out of you. A intruder wouldn't bother with that, they'd just take the box/HDD and access the content indirectly.

Affects Puppy??

Sortof - theoretically/conceptually, but in practice looks like it could just be ignored.

[belham2]

Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root

A safe at home full of money/gold is only as secure as your resilience to having your or family members fingers cut off one by one by a local intruder who wants to gain access to that safe.

Puppy is single user, so a local attacker gaining priv elevation is a bit like battering yourself on the head in order to get the root password knocked out of you. A intruder wouldn't bother with that, they'd just take the box/HDD and access the content indirectly.

Affects Puppy??

Sortof - theoretically/conceptually, but in practice looks like it could just be ignored.

LOL. I was sort of thinking this, but wasn't sure, so thus I posted here.

I'm getting to really, really, REALLY dislike this whole cottage industry of finding potential/possible bugs. The industry needs to rethink this. According to well established science, you can never prove something is 100% true (a secure OS, for example) but one sure can prove something is false or a negative (finding "potential" holes). Or, a better analogy, walk into a hospital & they are bound, after enough tests are run & performed, to either find something wrong with you (which has no bearing on your life) or they will "potentially" find something wrong with you (again, with no bearing on one's life).

Of course, I write all this now, and I just summarily cursed us all as the most horrible, destructive Linux malware ever seen is history is going to be unleashed from "beep".

[darry19662018]

I think it is good to read these access the risk and make one's own mind up.

Thank you Belham for info.

[8Geee]

I see that a race condition exists... this is codeword for Meltdown.Spectre vunerability. The racing occurs between the original command and the Out-of-Order-Execution cache. In simple language (I think). This is why some people want Intel to simply put out new CPUs w/o speculating caches. SO MUCH software needs patching, even simple stuff like beep. Without such caches the command HAS to be directly addressed without branching (speculating) upon the next bits of data.

FWIW
8Geee