Debian Bug report logs - #895115

info leakage and unauthorized access to devices

Reported by: Richard Kettlewell <rjk@terraraq.uk> Date: Sat, 7 Apr 2018 07:51:04 UTC Severity: serious Tags: security Found in version beep/1.3-4 Fixed in version beep/1.4.3-1 Done: Rhonda D'Vine <rhonda@debian.org> Bug is archived. No further changes may be made. Forwarded to https://github.com/johnath/beep/issues/11

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, Rhonda D'Vine <rhonda@debian.org> :

Bug#895115 ; Package beep . (Sat, 07 Apr 2018 07:51:07 GMT) (full text, mbox, link).

Acknowledgement sent to Richard Kettlewell <rjk@terraraq.uk> :

New Bug report received and forwarded. Copy sent to Rhonda D'Vine <rhonda@debian.org> . (Sat, 07 Apr 2018 07:51:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Richard Kettlewell <rjk@terraraq.uk> To: submit@bugs.debian.org Subject: info leakage and unauthorized access to devices Date: Sat, 7 Apr 2018 08:31:36 +0100

Package: beep Version: 1.3-4+b1 beep opens arbitrary files for write as root, bypassing file permissions. The impact is as follows: 1. beep reveals whether any file exists, even if the file's existence would normally be secret from the calling user. $ ls -ld /etc/hidden/ drwx------ 2 root root 4096 Apr 7 08:18 /etc/hidden/ $ ls -l /etc/hidden/secret ls: cannot access '/etc/hidden/secret': Permission denied $ ls -l /etc/hidden/nonexistent ls: cannot access '/etc/hidden/nonexistent': Permission denied $ beep -e /etc/hidden/secret ioctl: Inappropriate ioctl for device ioctl: Inappropriate ioctl for device $ beep -e /etc/hidden/nonexistent Could not open /etc/hidden/nonexistent for writing open: No such file or directory 2. beep reveals information about the file type, even if that would normally be secret from the calling user. For example, a socket will yield "no such device or address". 3. If a file has side effects when opened, beep allows the calling user to trigger those side effects even if they are not authorized to do so. Jakub Wilk pointed out that named pipes and tape devices are affected. This issue is already discussed in the upstream bug report at https://github.com/johnath/beep/issues/11 but I believe all the relevant information is captured here. ttfn/rjk

Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org . (Sat, 07 Apr 2018 07:57:02 GMT) (full text, mbox, link).

Severity set to 'serious' from 'normal' Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org . (Thu, 12 Apr 2018 13:33:03 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/johnath/beep/issues/11'. Request was from Reiner Herrmann <reiner@reiner-h.de> to control@bugs.debian.org . (Sat, 21 Jul 2018 12:36:03 GMT) (full text, mbox, link).

Reply sent to Rhonda D'Vine <rhonda@debian.org> :

You have taken responsibility. (Mon, 18 Feb 2019 14:54:05 GMT) (full text, mbox, link).

Notification sent to Richard Kettlewell <rjk@terraraq.uk> :

Bug acknowledged by developer. (Mon, 18 Feb 2019 14:54:05 GMT) (full text, mbox, link).

Message #16 received at 895115-close@bugs.debian.org (full text, mbox, reply):

From: Rhonda D'Vine <rhonda@debian.org> To: 895115-close@bugs.debian.org Subject: Bug#895115: fixed in beep 1.4.3-1 Date: Mon, 18 Feb 2019 14:50:31 +0000

Source: beep Source-Version: 1.4.3-1 We believe that the bug you reported is fixed in the latest version of beep, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 895115@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Rhonda D'Vine <rhonda@debian.org> (supplier of updated beep package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 18 Feb 2019 15:01:31 +0100 Source: beep Binary: beep beep-dbgsym beep-udeb Architecture: source amd64 Version: 1.4.3-1 Distribution: unstable Urgency: high Maintainer: Rhonda D'Vine <rhonda@debian.org> Changed-By: Rhonda D'Vine <rhonda@debian.org> Description: beep - advanced PC-speaker beeper beep-udeb - advanced PC-speaker beeper - minimal package (udeb) Closes: 895115 902722 Changes: beep (1.4.3-1) unstable; urgency=high . [ Rhonda D'Vine ] * Update watch file for new upstream repository. * Remove manpage patch (which was needed for the new options which are now incorporated upstream). * Use generic dh_install approach now that the GNUmakefile supports it. * Update to debhelper-compat (= 12). * Disable dh_dwz and dh_auto_test. * Bump Standards-Version to 4.3.0. * Add debian/NEWS about handling permissions, beep won't get installed suid root anymore. * Remove debconf handling. . [ Axel Beckert ] * Update Vcs-* headers for move to Salsa. * Add a debian/gbp.conf to make gbp aware of the current branch layout. * Switch upstream to https://github.com/spkr-beep/beep and import new upstream release 1.4.3. + Fixes CVE-2018-1000532. (Closes: #902722, #895115) + Drop patches CVE-2018-0492.patch + catch-sig-term, applied upstream. + Drop patch fix-makefile, fixed differently upstream. + Update Homepage and Source fields. Checksums-Sha1: 1b6f808716a8b96ec21213a0cc545f33d466f563 1852 beep_1.4.3-1.dsc 743ad6bb8eee9870737db7177a5aeb8f29d2ef37 39677 beep_1.4.3.orig.tar.gz f5769cf3373bfc4cf534b883529e3624eff19a1b 7780 beep_1.4.3-1.debian.tar.xz 51b9f11ff1e2503fabb6a7b48299fbb7e74c9a45 17796 beep-dbgsym_1.4.3-1_amd64.deb f418044ca162fa3895b8d548d6bc7eba2ff40dec 7884 beep-udeb_1.4.3-1_amd64.udeb 38d316b85b19173295dd06e1e1f36bf93d36597b 5672 beep_1.4.3-1_amd64.buildinfo b32f35826ce6b5006c5c3356f3747abb21a362fb 26580 beep_1.4.3-1_amd64.deb Checksums-Sha256: dae48b0b32a76b889c2379007012c015754241b77fe8eae0fe166c5203f44e81 1852 beep_1.4.3-1.dsc 4867039c828f29714b327e8a5ad20e27dfe185811a666817d54b08df09f0470a 39677 beep_1.4.3.orig.tar.gz 149c318adba8f82614725c0816b8e6dc6bf76f0aa3f0d8925f64a688e6c15523 7780 beep_1.4.3-1.debian.tar.xz fac89dff18002a687c54cf82fc274f7df2b10ba2c2f4a760d3b06d70a067323e 17796 beep-dbgsym_1.4.3-1_amd64.deb 63098b94195b0425a48e4b48f90853416180abc9672c27608b973c76cb339703 7884 beep-udeb_1.4.3-1_amd64.udeb 965ec3fc2ca43fdd1fdd7a3d363016fae52fa5c898c1dde806751cf6a585e676 5672 beep_1.4.3-1_amd64.buildinfo be1017dac9d57602e9067b88648adaeed7816b9d65a69a3a82c81180b68881db 26580 beep_1.4.3-1_amd64.deb Files: b126ce25c983331a59eb746acb6d2403 1852 sound optional beep_1.4.3-1.dsc 5e800172c58c042dbf270f69052d4747 39677 sound optional beep_1.4.3.orig.tar.gz 252da58f297c9f864034ecef0a1cd29e 7780 sound optional beep_1.4.3-1.debian.tar.xz 4fe2b0c1bcfa17dc29eecc148b5fbeee 17796 debug optional beep-dbgsym_1.4.3-1_amd64.deb 7c0e98498bb26e6dc154a658759e985b 7884 debian-installer optional beep-udeb_1.4.3-1_amd64.udeb e6d8cd4be98ef760314ac828b32073f9 5672 sound optional beep_1.4.3-1_amd64.buildinfo 0bb65c042d7b1a5e0c246bb625e5c835 26580 sound optional beep_1.4.3-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEELHLzKO0XByBPs0mU3ugEPuF+uzAFAlxqwIIACgkQ3ugEPuF+ uzCnQg/9FiJ7HSey2O1hlxics/+7h32tTD0s09B4MNU8kxfMuUIB5bgtpHIlMuLJ CY9fzaHsg81WPK2pOZWdioRhRqjZm/UMcPpVHhE8gIqqXA7U8CPip9gv9jJvq106 YxhlBr1zP20NZ/WYj9+YE2rU7rF7NiVLux+KUqjX1IXKaXA4DKvqMvcrzhpK1934 b2ihXUTDoEkRfvLqWEQa+Z64jflR88/t04L3XUHCHc1zfnFjz65FPZg323006ivS cbR77VrT8fPJN7W/owjXTNBeBivpuofHVt/7Zx+Wv+72jNU446z/qlwNm8zcNTQn OhcrOd8x03mR7X4mAq9OcpnIs/BvGPXig15m2DElKxpuo/+Zoo8YENtM+anQVFgQ BL43ed3EpXSHMDU6zIE+jnB02ZZzVbaynrel9j/SvFZYp8PmAnAPeNEPZX7M9yyI kKEYwjzSw/2REV6fN6pTD/ID2GTmzBdPWswrNf89iaBpzYLexW++19Snm3H43T5L 82klNSUByoSpxGWFcgvv0+6wZmVKl3oVmnOrXvXnQmM2d8pADnhNN3axII6d4uil OjYfuXwj1+HiU3i2UcOGqQbbiZJrrX4kXpgNafAPf3pzAzZCNW3eOx4r+fElKpdE 8osmj/N6Qfd55WTw9glBQ5tNAxT4fLvPYk7Bss07+quWWBrAv88= =aDUO -----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Rhonda D'Vine <rhonda@debian.org> :

Bug#895115 ; Package beep . (Wed, 27 Feb 2019 07:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Tille <tille@debian.org> :

Extra info received and forwarded to list. Copy sent to Rhonda D'Vine <rhonda@debian.org> . (Wed, 27 Feb 2019 07:57:03 GMT) (full text, mbox, link).

Message #21 received at 895115@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org> To: 902722@bugs.debian.org, 895115@bugs.debian.org, Rhonda D'Vine <rhonda@debian.org> Subject: Package does not seem to migrate to testing due to missing build on arm64 Date: Wed, 27 Feb 2019 08:52:31 +0100

Hi Rhonda, I'm just pinging both RC bugs to reset the autoremoval from testing counter. I just realised that the package might not migrate to testing due to a missing arm64 build. I leave it to you to decide about the action to take but just wanted to prevent that you will be hit by an autoremoval which might have escaped your attention. Kind regards Andreas. -- http://fam-tille.de

Information forwarded to debian-bugs-dist@lists.debian.org, Rhonda D'Vine <rhonda@debian.org> :

Bug#895115 ; Package beep . (Wed, 27 Feb 2019 10:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Rhonda D'Vine <rhonda@deb.at> :

Extra info received and forwarded to list. Copy sent to Rhonda D'Vine <rhonda@debian.org> . (Wed, 27 Feb 2019 10:15:04 GMT) (full text, mbox, link).

Message #26 received at 895115@bugs.debian.org (full text, mbox, reply):

From: Rhonda D'Vine <rhonda@deb.at> To: Andreas Tille <tille@debian.org>, 902722@bugs.debian.org, 895115@bugs.debian.org, Rhonda D'Vine <rhonda@debian.org> Subject: Re: Package does not seem to migrate to testing due to missing build on arm64 Date: Wed, 27 Feb 2019 11:07:06 +0100

Hi! On 2/27/19 8:52 AM, Andreas Tille wrote: > I'm just pinging both RC bugs to reset the autoremoval from testing > counter. I just realised that the package might not migrate to testing > due to a missing arm64 build. I leave it to you to decide about the > action to take but just wanted to prevent that you will be hit by an > autoremoval which might have escaped your attention. Thanks. The discussions about whether (and how) to add support to automatically make beep available to non-root users did hold it back a bit. The patch for making it build on arm64 is prepared, I just wasn't too sure what to do about the discussions on whether it's fine to leave local adaption to the admin (and potentially improve the documentation about it), or to offer support through the packaging for it. Given that an additional dependency on acl doesn't sound too encouraging, and whether a TAG+="uaccess" might be more useful instead (which I haven't tried yet), this sort of blocked my thoughts from just uploading the fix so far. So .. thanks for the ping, will get around to it later today. :) Rhonda

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org . (Sun, 04 Aug 2019 07:30:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.