From 5188105cd321944007da9a33a8aa6f5fa24f44bf Mon Sep 17 00:00:00 2001 From: Rhonda D'Vine Date: Thu, 26 Apr 2018 17:13:11 +0200 Subject: [PATCH] CVE-2018-0492 --- debian/changelog | 7 ++ debian/patches/CVE-2018-0492.patch | 104 +++++++++++++++++++++++++++++ debian/patches/catch-sig-term | 10 ++- debian/patches/series | 1 + 4 files changed, 116 insertions(+), 6 deletions(-) create mode 100644 debian/patches/CVE-2018-0492.patch diff --git a/debian/changelog b/debian/changelog index 3da57f9..ba6f64a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +beep (1.3-3+deb7u1) wheezy-security; urgency=high + + * CVE-2018-0492: Fix a local privilege escalation vulnerability. + (Closes: #894667) + + -- Chris Lamb Tue, 03 Apr 2018 07:40:15 +0100 + beep (1.3-3) unstable; urgency=low * Add patch catch-sig-term to also stop the beep when receiving SIGTERM. diff --git a/debian/patches/CVE-2018-0492.patch b/debian/patches/CVE-2018-0492.patch new file mode 100644 index 0000000..e69ef05 --- /dev/null +++ b/debian/patches/CVE-2018-0492.patch @@ -0,0 +1,104 @@ +--- beep-1.3.orig/beep.c ++++ beep-1.3/beep.c +@@ -109,6 +109,7 @@ void do_beep(int freq) { + /* BEEP_TYPE_EVDEV */ + struct input_event e; + ++ memset(&e, 0, sizeof(e)); + e.type = EV_SND; + e.code = SND_TONE; + e.value = freq; +@@ -121,10 +122,6 @@ void do_beep(int freq) { + /* If we get interrupted, it would be nice to not leave the speaker beeping in + perpetuity. */ + void handle_signal(int signum) { +- +- if(console_device) +- free(console_device); +- + switch(signum) { + case SIGINT: + case SIGTERM: +@@ -254,7 +251,7 @@ void parse_command_line(int argc, char * + result->verbose = 1; + break; + case 'e' : /* also --device */ +- console_device = strdup(optarg); ++ console_device = optarg; + break; + case 'h' : /* notice that this is also --help */ + default : +@@ -273,26 +270,6 @@ void play_beep(beep_parms_t parms) { + "%d delay after) @ %.2f Hz\n", + parms.reps, parms.length, parms.delay, parms.end_delay, parms.freq); + +- /* try to snag the console */ +- if(console_device) +- console_fd = open(console_device, O_WRONLY); +- else +- if((console_fd = open("/dev/tty0", O_WRONLY)) == -1) +- console_fd = open("/dev/vc/0", O_WRONLY); +- +- if(console_fd == -1) { +- fprintf(stderr, "Could not open %s for writing\n", +- console_device != NULL ? console_device : "/dev/tty0 or /dev/vc/0"); +- printf("\a"); /* Output the only beep we can, in an effort to fall back on usefulness */ +- perror("open"); +- exit(1); +- } +- +- if (ioctl(console_fd, EVIOCGSND(0)) != -1) +- console_type = BEEP_TYPE_EVDEV; +- else +- console_type = BEEP_TYPE_CONSOLE; +- + /* Beep */ + for (i = 0; i < parms.reps; i++) { /* start beep */ + do_beep(parms.freq); +@@ -302,8 +279,6 @@ void play_beep(beep_parms_t parms) { + if(parms.end_delay || (i+1 < parms.reps)) + usleep(1000*parms.delay); /* wait... */ + } /* repeat. */ +- +- close(console_fd); + } + + +@@ -325,6 +300,26 @@ int main(int argc, char **argv) { + signal(SIGTERM, handle_signal); + parse_command_line(argc, argv, parms); + ++ /* try to snag the console */ ++ if(console_device) ++ console_fd = open(console_device, O_WRONLY); ++ else ++ if((console_fd = open("/dev/tty0", O_WRONLY)) == -1) ++ console_fd = open("/dev/vc/0", O_WRONLY); ++ ++ if(console_fd == -1) { ++ fprintf(stderr, "Could not open %s for writing\n", ++ console_device != NULL ? console_device : "/dev/tty0 or /dev/vc/0"); ++ printf("\a"); /* Output the only beep we can, in an effort to fall back on usefulness */ ++ perror("open"); ++ exit(1); ++ } ++ ++ if (ioctl(console_fd, EVIOCGSND(0)) != -1) ++ console_type = BEEP_TYPE_EVDEV; ++ else ++ console_type = BEEP_TYPE_CONSOLE; ++ + /* this outermost while loop handles the possibility that -n/--new has been + used, i.e. that we have multiple beeps specified. Each iteration will + play, then free() one parms instance. */ +@@ -362,8 +357,8 @@ int main(int argc, char **argv) { + parms = next; + } + +- if(console_device) +- free(console_device); ++ close(console_fd); ++ console_fd = -1; + + return EXIT_SUCCESS; + } diff --git a/debian/patches/catch-sig-term b/debian/patches/catch-sig-term index 8db0677..85fb67b 100644 --- a/debian/patches/catch-sig-term +++ b/debian/patches/catch-sig-term @@ -1,11 +1,9 @@ Author: Jérôme Description: also catch SIGTERM for stopping the beep -Index: VCS/beep.c -=================================================================== ---- VCS.orig/beep.c 2012-06-10 10:03:39.000000000 +0200 -+++ VCS/beep.c 2012-06-10 10:03:59.000000000 +0200 -@@ -127,6 +127,7 @@ +--- beep-1.3.orig/beep.c ++++ beep-1.3/beep.c +@@ -127,6 +127,7 @@ void handle_signal(int signum) { switch(signum) { case SIGINT: @@ -13,7 +11,7 @@ Index: VCS/beep.c if(console_fd >= 0) { /* Kill the sound, quit gracefully */ do_beep(0); -@@ -321,6 +322,7 @@ +@@ -321,6 +322,7 @@ int main(int argc, char **argv) { parms->next = NULL; signal(SIGINT, handle_signal); diff --git a/debian/patches/series b/debian/patches/series index b3e33f3..b547b91 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ catch-sig-term +CVE-2018-0492.patch -- 2.39.2