Login
Newsletter
Werbung

Sicherheit: Ausführen beliebiger Kommandos in beep
Aktuelle Meldungen Distributionen
Name: Ausführen beliebiger Kommandos in beep
ID: FEDORA-2018-e4732930df
Distribution: Fedora
Plattformen: Fedora 28
Datum: Fr, 11. Januar 2019, 07:25
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000532
Applikationen: beep

Originalnachricht

-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2018-e4732930df
2019-01-11 00:16:18.759264
-------------------------------------------------------------------------------
-

Name : beep
Product : Fedora 28
Version : 1.3
Release : 26.fc28
URL : http://www.johnath.com/beep/
Summary : Beep the PC speaker any number of ways
Description :
Beep allows the user to control the PC speaker with precision,
allowing different sounds to indicate different events. While it
can be run quite happily on the command line, its intended place
of residence is within shell/Perl scripts, notifying the user when
something interesting occurs. Of course, it has no notion of
what's interesting, but it's real good at that notifying part.

-------------------------------------------------------------------------------
-
Update Information:

Security fix for CVE-2018-1000532, new non-root permissions and a few smaller
fixes. Fix a directory traversal issue introduced with the fix for
CVE-2018-1000532, and refuses to run as setuid root or via sudo to avoid any
more priviledge escalation issue. ---- Security fix for CVE-2018-1000532 and
a
few smaller fixes
-------------------------------------------------------------------------------
-
ChangeLog:

* Sat Dec 29 2018 Hans Ulrich Niedermann <hun@n-dimensional.de> - 1.3-26
- Stop shipping old sudo related config files
- Refuse to run when run via sudo
- Set up group 'beep' for write access to evdev device with new udev
rule
- Update README.fedora to reflect new group permission setup on evdev device
* Fri Dec 28 2018 Hans Ulrich Niedermann <hun@n-dimensional.de> - 1.3-25
- guard against directory traversal in /dev/input/ check
- refuse to run if setuid or setgid root
- make the evdev device the first device to look for (does not require root)
* Fri Dec 28 2018 Hans Ulrich Niedermann <hun@n-dimensional.de> - 1.3-24
- Actually apply the patches
- Update COPYING with new FSF address
- Fix Patch9 to work as non-git patch (do the rest with shell)
- Proper naming of Patch14
- Exit beep when error accessing API
* Fri Dec 28 2018 Hans Ulrich Niedermann <hun@n-dimensional.de> - 1.3-23
- Fix CVE-2018-1000532 and mitigate against related issues (#1595592)
- Fix a number of potential integer overflows
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> -
1.3-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Apr 3 2018 Hans Ulrich Niedermann <hun@n-dimensional.de> - 1.3-21
- Add CVE-2018-0492 fix.
- Behaviour of multiple -f parameters matches documentation now.
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1595591 - CVE-2018-1000532 beep: External control of file name or
path via --device option
https://bugzilla.redhat.com/show_bug.cgi?id=1595591
-------------------------------------------------------------------------------
-

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-e4732930df' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux
Unterstützer werden
Neue Nachrichten
Werbung