From df5205ffe0015ae49fd0bb842747499c1cc8d683 Mon Sep 17 00:00:00 2001
From: Rhonda D'Vine <rhonda@debian.org>
Date: Thu, 26 Apr 2018 18:06:48 +0200
Subject: [PATCH] CVE-2018-0492

---
 debian/changelog                   |   6 +-
 debian/patches/CVE-2018-0492.patch | 104 +++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 109 insertions(+), 2 deletions(-)
 create mode 100644 debian/patches/CVE-2018-0492.patch

diff --git a/debian/changelog b/debian/changelog
index 70f196f..1b54ad3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,11 @@
-beep (1.3-5) unstable; urgency=low
+beep (1.3-5) unstable; urgency=high
 
   * Rewrite debian/copyright in DEP-5 format, and relicense the packaging
     under MIT to make it clear for lawyers, too.
+  * CVE-2018-0492: Fix a local privilege escalation vulnerability.
+    (Closes: #894667)
 
- -- 
+ -- Rhonda D'Vine <rhonda@debian.org>  Thu, 26 Apr 2018 18:08:11 +0200
 
 beep (1.3-4) unstable; urgency=low
 
diff --git a/debian/patches/CVE-2018-0492.patch b/debian/patches/CVE-2018-0492.patch
new file mode 100644
index 0000000..e69ef05
--- /dev/null
+++ b/debian/patches/CVE-2018-0492.patch
@@ -0,0 +1,104 @@
+--- beep-1.3.orig/beep.c
++++ beep-1.3/beep.c
+@@ -109,6 +109,7 @@ void do_beep(int freq) {
+      /* BEEP_TYPE_EVDEV */
+      struct input_event e;
+ 
++     memset(&e, 0, sizeof(e));
+      e.type = EV_SND;
+      e.code = SND_TONE;
+      e.value = freq;
+@@ -121,10 +122,6 @@ void do_beep(int freq) {
+ /* If we get interrupted, it would be nice to not leave the speaker beeping in
+    perpetuity. */
+ void handle_signal(int signum) {
+-
+-  if(console_device)
+-    free(console_device);
+-
+   switch(signum) {
+   case SIGINT:
+   case SIGTERM:
+@@ -254,7 +251,7 @@ void parse_command_line(int argc, char *
+       result->verbose = 1;
+       break;
+     case 'e' : /* also --device */
+-      console_device = strdup(optarg);
++      console_device = optarg;
+       break;
+     case 'h' : /* notice that this is also --help */
+     default :
+@@ -273,26 +270,6 @@ void play_beep(beep_parms_t parms) {
+ 	"%d delay after) @ %.2f Hz\n",
+ 	parms.reps, parms.length, parms.delay, parms.end_delay, parms.freq);
+ 
+-  /* try to snag the console */
+-  if(console_device)
+-    console_fd = open(console_device, O_WRONLY);
+-  else
+-    if((console_fd = open("/dev/tty0", O_WRONLY)) == -1)
+-      console_fd = open("/dev/vc/0", O_WRONLY);
+-
+-  if(console_fd == -1) {
+-    fprintf(stderr, "Could not open %s for writing\n",
+-      console_device != NULL ? console_device : "/dev/tty0 or /dev/vc/0");
+-    printf("\a");  /* Output the only beep we can, in an effort to fall back on usefulness */
+-    perror("open");
+-    exit(1);
+-  }
+-
+-  if (ioctl(console_fd, EVIOCGSND(0)) != -1)
+-    console_type = BEEP_TYPE_EVDEV;
+-  else
+-    console_type = BEEP_TYPE_CONSOLE;
+-  
+   /* Beep */
+   for (i = 0; i < parms.reps; i++) {                    /* start beep */
+     do_beep(parms.freq);
+@@ -302,8 +279,6 @@ void play_beep(beep_parms_t parms) {
+     if(parms.end_delay || (i+1 < parms.reps))
+        usleep(1000*parms.delay);                        /* wait...    */
+   }                                                     /* repeat.    */
+-
+-  close(console_fd);
+ }
+ 
+ 
+@@ -325,6 +300,26 @@ int main(int argc, char **argv) {
+   signal(SIGTERM, handle_signal);
+   parse_command_line(argc, argv, parms);
+ 
++  /* try to snag the console */
++  if(console_device)
++    console_fd = open(console_device, O_WRONLY);
++  else
++    if((console_fd = open("/dev/tty0", O_WRONLY)) == -1)
++      console_fd = open("/dev/vc/0", O_WRONLY);
++
++  if(console_fd == -1) {
++    fprintf(stderr, "Could not open %s for writing\n",
++      console_device != NULL ? console_device : "/dev/tty0 or /dev/vc/0");
++    printf("\a");  /* Output the only beep we can, in an effort to fall back on usefulness */
++    perror("open");
++    exit(1);
++  }
++
++  if (ioctl(console_fd, EVIOCGSND(0)) != -1)
++    console_type = BEEP_TYPE_EVDEV;
++  else
++    console_type = BEEP_TYPE_CONSOLE;
++
+   /* this outermost while loop handles the possibility that -n/--new has been
+      used, i.e. that we have multiple beeps specified. Each iteration will
+      play, then free() one parms instance. */
+@@ -362,8 +357,8 @@ int main(int argc, char **argv) {
+     parms = next;
+   }
+ 
+-  if(console_device)
+-    free(console_device);
++  close(console_fd);
++  console_fd = -1;
+ 
+   return EXIT_SUCCESS;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 2c1d9d6..981c6c7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 catch-sig-term
 fix-makefile
+CVE-2018-0492.patch
-- 
2.39.2