From: Rhonda D'Vine Date: Thu, 26 Apr 2018 16:06:48 +0000 (+0200) Subject: CVE-2018-0492 X-Git-Tag: debian/1.3-5~4 X-Git-Url: https://git.deb.at/w?a=commitdiff_plain;h=df5205ffe0015ae49fd0bb842747499c1cc8d683;p=pkg%2Fbeep.git CVE-2018-0492 --- diff --git a/debian/changelog b/debian/changelog index 70f196f..1b54ad3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,11 @@ -beep (1.3-5) unstable; urgency=low +beep (1.3-5) unstable; urgency=high * Rewrite debian/copyright in DEP-5 format, and relicense the packaging under MIT to make it clear for lawyers, too. + * CVE-2018-0492: Fix a local privilege escalation vulnerability. + (Closes: #894667) - -- + -- Rhonda D'Vine Thu, 26 Apr 2018 18:08:11 +0200 beep (1.3-4) unstable; urgency=low diff --git a/debian/patches/CVE-2018-0492.patch b/debian/patches/CVE-2018-0492.patch new file mode 100644 index 0000000..e69ef05 --- /dev/null +++ b/debian/patches/CVE-2018-0492.patch @@ -0,0 +1,104 @@ +--- beep-1.3.orig/beep.c ++++ beep-1.3/beep.c +@@ -109,6 +109,7 @@ void do_beep(int freq) { + /* BEEP_TYPE_EVDEV */ + struct input_event e; + ++ memset(&e, 0, sizeof(e)); + e.type = EV_SND; + e.code = SND_TONE; + e.value = freq; +@@ -121,10 +122,6 @@ void do_beep(int freq) { + /* If we get interrupted, it would be nice to not leave the speaker beeping in + perpetuity. */ + void handle_signal(int signum) { +- +- if(console_device) +- free(console_device); +- + switch(signum) { + case SIGINT: + case SIGTERM: +@@ -254,7 +251,7 @@ void parse_command_line(int argc, char * + result->verbose = 1; + break; + case 'e' : /* also --device */ +- console_device = strdup(optarg); ++ console_device = optarg; + break; + case 'h' : /* notice that this is also --help */ + default : +@@ -273,26 +270,6 @@ void play_beep(beep_parms_t parms) { + "%d delay after) @ %.2f Hz\n", + parms.reps, parms.length, parms.delay, parms.end_delay, parms.freq); + +- /* try to snag the console */ +- if(console_device) +- console_fd = open(console_device, O_WRONLY); +- else +- if((console_fd = open("/dev/tty0", O_WRONLY)) == -1) +- console_fd = open("/dev/vc/0", O_WRONLY); +- +- if(console_fd == -1) { +- fprintf(stderr, "Could not open %s for writing\n", +- console_device != NULL ? console_device : "/dev/tty0 or /dev/vc/0"); +- printf("\a"); /* Output the only beep we can, in an effort to fall back on usefulness */ +- perror("open"); +- exit(1); +- } +- +- if (ioctl(console_fd, EVIOCGSND(0)) != -1) +- console_type = BEEP_TYPE_EVDEV; +- else +- console_type = BEEP_TYPE_CONSOLE; +- + /* Beep */ + for (i = 0; i < parms.reps; i++) { /* start beep */ + do_beep(parms.freq); +@@ -302,8 +279,6 @@ void play_beep(beep_parms_t parms) { + if(parms.end_delay || (i+1 < parms.reps)) + usleep(1000*parms.delay); /* wait... */ + } /* repeat. */ +- +- close(console_fd); + } + + +@@ -325,6 +300,26 @@ int main(int argc, char **argv) { + signal(SIGTERM, handle_signal); + parse_command_line(argc, argv, parms); + ++ /* try to snag the console */ ++ if(console_device) ++ console_fd = open(console_device, O_WRONLY); ++ else ++ if((console_fd = open("/dev/tty0", O_WRONLY)) == -1) ++ console_fd = open("/dev/vc/0", O_WRONLY); ++ ++ if(console_fd == -1) { ++ fprintf(stderr, "Could not open %s for writing\n", ++ console_device != NULL ? console_device : "/dev/tty0 or /dev/vc/0"); ++ printf("\a"); /* Output the only beep we can, in an effort to fall back on usefulness */ ++ perror("open"); ++ exit(1); ++ } ++ ++ if (ioctl(console_fd, EVIOCGSND(0)) != -1) ++ console_type = BEEP_TYPE_EVDEV; ++ else ++ console_type = BEEP_TYPE_CONSOLE; ++ + /* this outermost while loop handles the possibility that -n/--new has been + used, i.e. that we have multiple beeps specified. Each iteration will + play, then free() one parms instance. */ +@@ -362,8 +357,8 @@ int main(int argc, char **argv) { + parms = next; + } + +- if(console_device) +- free(console_device); ++ close(console_fd); ++ console_fd = -1; + + return EXIT_SUCCESS; + } diff --git a/debian/patches/series b/debian/patches/series index 2c1d9d6..981c6c7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ catch-sig-term fix-makefile +CVE-2018-0492.patch