Fedora 29: 2018-92eff16e03 Critical: Privilege Escalation in Beep

Beep allows the user to control the PC speaker with precision,

allowing different sounds to indicate different events. While it

can be run quite happily on the command line, its intended place

of residence is within shell/Perl scripts, notifying the user when

something interesting occurs. Of course, it has no notion of

what's interesting, but it's real good at that notifying part.

Security fix for CVE-2018-1000532, new non-root permissions and a few smaller

fixes. Fix a directory traversal issue introduced with the fix for

CVE-2018-1000532, and refuses to run as setuid root or via sudo to avoid any

more priviledge escalation issue. ---- Security fix for CVE-2018-1000532 and a

few smaller fixes

* Sat Dec 29 2018 Hans Ulrich Niedermann - 1.3-26

- Stop shipping old sudo related config files

- Refuse to run when run via sudo

- Set up group 'beep' for write access to evdev device with new udev rule

- Update README.fedora to reflect new group permission setup on evdev device

* Fri Dec 28 2018 Hans Ulrich Niedermann - 1.3-25

- guard against directory traversal in /dev/input/ check

- refuse to run if setuid or setgid root

- make the evdev device the first device to look for (does not require root)

* Fri Dec 28 2018 Hans Ulrich Niedermann - 1.3-24

- Actually apply the patches

- Update COPYING with new FSF address

- Fix Patch9 to work as non-git patch (do the rest with shell)

- Proper naming of Patch14

- Exit beep when error accessing API

* Fri Dec 28 2018 Hans Ulrich Niedermann - 1.3-23

- Fix CVE-2018-1000532 and mitigate against related issues (#1595592)

- Fix a number of potential integer overflows

[ 1 ] Bug #1595591 - CVE-2018-1000532 beep: External control of file name or path via --device option

https://bugzilla.redhat.com/show_bug.cgi?id=1595591

su -c 'dnf upgrade --advisory FEDORA-2018-92eff16e03' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/