Name | CVE-2018-1000532 |
Description | beep version 1.3 and up contains a External Control of File Name or Path vulnerability in --device option that can result in Local unprivileged user can inhibit execution of arbitrary programs by other users, allowing DoS. This attack appear to be exploitable via The system must allow local users to run beep. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | ELA-621-1, ELA-951-1 |
Debian Bugs | 902722 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
beep (PTS) | jessie, jessie (lts) | 1.3-3+deb8u2 | fixed |
| stretch (security) | 1.3-4+deb9u1 | vulnerable |
| stretch (lts), stretch | 1.3-4+deb9u2 | fixed |
| buster | 1.4.3-2 | fixed |
| bullseye, bookworm | 1.4.9-1 | fixed |
| sid, trixie | 1.4.9-1.1 | fixed |
The information below is based on the following data on fixed versions.
Notes
[stretch] - beep <no-dsa> (Minor issue)
[jessie] - beep <no-dsa> (Minor issue)
https://github.com/johnath/beep/issues/11#issuecomment-379514298
https://github.com/spkr-beep/beep/commit/10cd5126f320154dccf344e19248c5589d9c20bb