Debian has issued an advisory on April 2: https://www.debian.org/security/2018/dsa-4163 We don't configure beep as setuid, so this is a very minor issue for us. Mageia 5 and Mageia 6 are also affected (sort of, anyway).
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
(In reply to David Walser from comment #0) > Debian has issued an advisory on April 2: > https://www.debian.org/security/2018/dsa-4163 > > We don't configure beep as setuid, so this is a very minor issue for us. > > Mageia 5 and Mageia 6 are also affected (sort of, anyway). Hi David! According to https://www.mageia.org/en/support/ Mageia 5 was already end-of-lifed. Why do you still mention it?
Hi all! My link-fu is failing me - where can i find the patch fixing this - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667 ?
(In reply to Shlomi Fish from comment #3) > Hi all! My link-fu is failing me - where can i find the patch fixing this - > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667 ? I can't find the plain patch, but saw a file containing CVE-2018-0492.patch https://release.debian.org/proposed-updates/stable_diffs/beep_1.3-4+deb9u1.debdiff Btw, we're trying to keep Mageia 5 alive wrt security updates until the Mga5->6 upgrade path works.
I mention Mageia 5 for documentation purposes since it's not totally dead yet. We're only fixing important packages so don't worry about it for this one.
beep-1.3-6.1.mga5 beep-1.3-7.1.mga6 beep-1.3-8.mga7 have been uploaded by Shlomi to fix this.
Version: Cauldron => 6
I am confused about this, based on these comments: http://openwall.com/lists/oss-security/2018/04/06/1 http://openwall.com/lists/oss-security/2018/04/06/2 Is this vulnerability real? Is the patch Shlomi got from Debian bad or good?
The vulnerability is real (but again, only when the binary is SUID root, which ours isn't by default), but the fix is incomplete and there are other issues: http://openwall.com/lists/oss-security/2018/04/08/1 A good argument was made in the message above for dropping the package.
(In reply to David Walser from comment #8) > The vulnerability is real (but again, only when the binary is SUID root, > which ours isn't by default), but the fix is incomplete and there are other > issues: > http://openwall.com/lists/oss-security/2018/04/08/1 > > A good argument was made in the message above for dropping the package. Can I add it to task-obsoletes then?
(In reply to Shlomi Fish from comment #9) > Can I add it to task-obsoletes then? I doubt anyone uses it anymore, so yes that should be fine.
Status comment: (none) => Fix incomplete and there are other issues, only affects SUID binaries which ours isn't
Mageia 6 is EOL.
Resolution: (none) => OLDStatus: NEW => RESOLVEDCC: (none) => mrambo