Debian Bug report logs -
#902722
CVE-2018-1000532
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 29 Jun 2018 21:06:12 UTC
Severity: grave
Tags: security, upstream
Found in version beep/1.3-5
Fixed in version beep/1.4.3-1
Done: Rhonda D'Vine <rhonda@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#902722; Package beep.
(Fri, 29 Jun 2018 21:06:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Rhonda D'Vine <rhonda@debian.org>.
(Fri, 29 Jun 2018 21:06:15 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: beep
Severity: important
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000532
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jul 2018 17:54:16 GMT) (full text, mbox, link).
Marked as found in versions beep/1.3-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jul 2018 17:57:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#902722; Package beep.
(Thu, 31 Jan 2019 23:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rhonda D'Vine <rhonda@debian.org>.
(Thu, 31 Jan 2019 23:24:03 GMT) (full text, mbox, link).
Message #14 received at 902722@bugs.debian.org (full text, mbox, reply):
severity 902722 grave
thanks
On Fri, Jun 29, 2018 at 11:05:17PM +0200, Moritz Muehlenhoff wrote:
> Package: beep
> Severity: important
> Tags: security
>
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000532
There's now a new release/fork:
https://github.com/johnath/beep/issues/11#issuecomment-454056858
Also, can we drop the setuid bit for buster, either in total or at least
make it not the default, but only opt-in?
Cheers,
Moritz
Severity set to 'grave' from 'important'
Request was from Moritz Mühlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Thu, 31 Jan 2019 23:24:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#902722; Package beep.
(Thu, 14 Feb 2019 02:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. Copy sent to Rhonda D'Vine <rhonda@debian.org>.
(Thu, 14 Feb 2019 02:15:04 GMT) (full text, mbox, link).
Message #21 received at 902722@bugs.debian.org (full text, mbox, reply):
Hi Moritz,
Moritz Mühlenhoff wrote:
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000532
>
> There's now a new release/fork:
> https://github.com/johnath/beep/issues/11#issuecomment-454056858
Thanks for that hint.
FTR: Rhonda and me are on it.
Packaging has moved over to https://salsa.debian.org/rhonda/beep and a
partially packaged 1.4.3 is currently in
https://salsa.debian.org/rhonda/beep/tree/debian-1.4.3
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Reply sent
to Rhonda D'Vine <rhonda@debian.org>:
You have taken responsibility.
(Mon, 18 Feb 2019 14:54:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 18 Feb 2019 14:54:07 GMT) (full text, mbox, link).
Message #26 received at 902722-close@bugs.debian.org (full text, mbox, reply):
Source: beep
Source-Version: 1.4.3-1
We believe that the bug you reported is fixed in the latest version of
beep, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 902722@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rhonda D'Vine <rhonda@debian.org> (supplier of updated beep package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 18 Feb 2019 15:01:31 +0100
Source: beep
Binary: beep beep-dbgsym beep-udeb
Architecture: source amd64
Version: 1.4.3-1
Distribution: unstable
Urgency: high
Maintainer: Rhonda D'Vine <rhonda@debian.org>
Changed-By: Rhonda D'Vine <rhonda@debian.org>
Description:
beep - advanced PC-speaker beeper
beep-udeb - advanced PC-speaker beeper - minimal package (udeb)
Closes: 895115 902722
Changes:
beep (1.4.3-1) unstable; urgency=high
.
[ Rhonda D'Vine ]
* Update watch file for new upstream repository.
* Remove manpage patch (which was needed for the new options which are now
incorporated upstream).
* Use generic dh_install approach now that the GNUmakefile supports it.
* Update to debhelper-compat (= 12).
* Disable dh_dwz and dh_auto_test.
* Bump Standards-Version to 4.3.0.
* Add debian/NEWS about handling permissions, beep won't get installed suid
root anymore.
* Remove debconf handling.
.
[ Axel Beckert ]
* Update Vcs-* headers for move to Salsa.
* Add a debian/gbp.conf to make gbp aware of the current branch layout.
* Switch upstream to https://github.com/spkr-beep/beep and import new
upstream release 1.4.3.
+ Fixes CVE-2018-1000532. (Closes: #902722, #895115)
+ Drop patches CVE-2018-0492.patch + catch-sig-term, applied upstream.
+ Drop patch fix-makefile, fixed differently upstream.
+ Update Homepage and Source fields.
Checksums-Sha1:
1b6f808716a8b96ec21213a0cc545f33d466f563 1852 beep_1.4.3-1.dsc
743ad6bb8eee9870737db7177a5aeb8f29d2ef37 39677 beep_1.4.3.orig.tar.gz
f5769cf3373bfc4cf534b883529e3624eff19a1b 7780 beep_1.4.3-1.debian.tar.xz
51b9f11ff1e2503fabb6a7b48299fbb7e74c9a45 17796 beep-dbgsym_1.4.3-1_amd64.deb
f418044ca162fa3895b8d548d6bc7eba2ff40dec 7884 beep-udeb_1.4.3-1_amd64.udeb
38d316b85b19173295dd06e1e1f36bf93d36597b 5672 beep_1.4.3-1_amd64.buildinfo
b32f35826ce6b5006c5c3356f3747abb21a362fb 26580 beep_1.4.3-1_amd64.deb
Checksums-Sha256:
dae48b0b32a76b889c2379007012c015754241b77fe8eae0fe166c5203f44e81 1852 beep_1.4.3-1.dsc
4867039c828f29714b327e8a5ad20e27dfe185811a666817d54b08df09f0470a 39677 beep_1.4.3.orig.tar.gz
149c318adba8f82614725c0816b8e6dc6bf76f0aa3f0d8925f64a688e6c15523 7780 beep_1.4.3-1.debian.tar.xz
fac89dff18002a687c54cf82fc274f7df2b10ba2c2f4a760d3b06d70a067323e 17796 beep-dbgsym_1.4.3-1_amd64.deb
63098b94195b0425a48e4b48f90853416180abc9672c27608b973c76cb339703 7884 beep-udeb_1.4.3-1_amd64.udeb
965ec3fc2ca43fdd1fdd7a3d363016fae52fa5c898c1dde806751cf6a585e676 5672 beep_1.4.3-1_amd64.buildinfo
be1017dac9d57602e9067b88648adaeed7816b9d65a69a3a82c81180b68881db 26580 beep_1.4.3-1_amd64.deb
Files:
b126ce25c983331a59eb746acb6d2403 1852 sound optional beep_1.4.3-1.dsc
5e800172c58c042dbf270f69052d4747 39677 sound optional beep_1.4.3.orig.tar.gz
252da58f297c9f864034ecef0a1cd29e 7780 sound optional beep_1.4.3-1.debian.tar.xz
4fe2b0c1bcfa17dc29eecc148b5fbeee 17796 debug optional beep-dbgsym_1.4.3-1_amd64.deb
7c0e98498bb26e6dc154a658759e985b 7884 debian-installer optional beep-udeb_1.4.3-1_amd64.udeb
e6d8cd4be98ef760314ac828b32073f9 5672 sound optional beep_1.4.3-1_amd64.buildinfo
0bb65c042d7b1a5e0c246bb625e5c835 26580 sound optional beep_1.4.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELHLzKO0XByBPs0mU3ugEPuF+uzAFAlxqwIIACgkQ3ugEPuF+
uzCnQg/9FiJ7HSey2O1hlxics/+7h42tTD0s09B4MNU8kxfMuUIB5bgtpHIlMuLJ
CY9fzaHsg81WPK2pOZWdioRhRqjZm/UMcPpVHhE8gIqqXA7U8CPip9gv9jJvq106
YxhlBr1zP20NZ/WYj9+YE2rU7rF7NiVLux+KUqjX1IXKaXA4DKvqMvcrzhpK1934
b2ihXUTDoEkRfvLqWEQa+Z64jflR88/t04L3XUHCHc1zfnFjz65FPZg323006ivS
cbR77VrT8fPJN7W/owjXTNBeBivpuofHVt/7Zx+Wv+72jNU446z/qlwNm8zcNTQn
OhcrOd8x03mR7X4mAq9OcpnIs/BvGPXig15m2DElKxpuo/+Zoo8YENtM+anQVFgQ
BL43ed3EpXSHMDU6zIE+jnB02ZZzVbaynrel9j/SvFZYp8PmAnAPeNEPZX7M9yyI
kKEYwjzSw/2REV6fN6pTD/ID2GTmzBdPWswrNf89iaBpzYLexW++19Snm3H43T5L
82klNSUByoSpxGWFcgvv0+6wZmVKl3oVmnOrXvXnQmM2d8pADnhNN3axII6d4uil
OjYfuXwj1+HiU3i2UcOGqQbbiZJrrX4kXpgNafAPf3pzAzZCNW3eOx4r+fElKpdE
8osmj/N6Qfd55WTw9glBQ5tNAxT4fLvPYk7Bss07+quWWBrAv88=
=aDUO
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#902722; Package beep.
(Wed, 27 Feb 2019 07:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Tille <tille@debian.org>:
Extra info received and forwarded to list. Copy sent to Rhonda D'Vine <rhonda@debian.org>.
(Wed, 27 Feb 2019 07:57:05 GMT) (full text, mbox, link).
Message #31 received at 902722@bugs.debian.org (full text, mbox, reply):
Hi Rhonda,
I'm just pinging both RC bugs to reset the autoremoval from testing
counter. I just realised that the package might not migrate to testing
due to a missing arm64 build. I leave it to you to decide about the
action to take but just wanted to prevent that you will be hit by an
autoremoval which might have escaped your attention.
Kind regards
Andreas.
--
http://fam-tille.de
Information forwarded
to debian-bugs-dist@lists.debian.org, Rhonda D'Vine <rhonda@debian.org>:
Bug#902722; Package beep.
(Wed, 27 Feb 2019 10:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Rhonda D'Vine <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to Rhonda D'Vine <rhonda@debian.org>.
(Wed, 27 Feb 2019 10:15:06 GMT) (full text, mbox, link).
Message #36 received at 902722@bugs.debian.org (full text, mbox, reply):
Hi!
On 2/27/19 8:52 AM, Andreas Tille wrote:
> I'm just pinging both RC bugs to reset the autoremoval from testing
> counter. I just realised that the package might not migrate to testing
> due to a missing arm64 build. I leave it to you to decide about the
> action to take but just wanted to prevent that you will be hit by an
> autoremoval which might have escaped your attention.
Thanks. The discussions about whether (and how) to add support to
automatically make beep available to non-root users did hold it back a
bit. The patch for making it build on arm64 is prepared, I just wasn't
too sure what to do about the discussions on whether it's fine to leave
local adaption to the admin (and potentially improve the documentation
about it), or to offer support through the packaging for it. Given that
an additional dependency on acl doesn't sound too encouraging, and
whether a TAG+="uaccess" might be more useful instead (which I haven't
tried yet), this sort of blocked my thoughts from just uploading the fix
so far.
So .. thanks for the ping, will get around to it later today. :)
Rhonda
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 28 Mar 2019 07:27:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:32:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon