I thought this was interesting as a cautionary tale that even tiny open source programs that are widely installed for years can contain critical security exploits. I don't understand the trend of security exploits getting their own website, name and logo though.
This site seems to have been created by a company specializing in giving security exploits their own branding:
"I want to brand my next vulnerability. Can you make a logo for me?
Great idea! Please contact our sales department."
It's definitely not associated with the person who discovered the beep vuln:
"Holey Beep is a community-maintained project for the bug otherwise known as CVE-2018-0492. It is not associated with the Linux Foundation, nor with the original discoverer of this vulnerability. If you would like to contribute go to GitHub."
Apart from confirming the vulnerability, that page doesn't really give any technical info. Does anyone have any details on the problem? It's such a simple program that I'm fascinated by the fact that it has a security vulnerability.
I was looking at the patch that Debian shipped and it seems to me that there was some kind of a race condition when opening the console device multiple times, but I can't figure out the exact source of the problem.
Hah, it is quite surreal what kind of scripts are asked to be curled and piped to a shell. And some users do eithout hesitation, because some website asked them to. Hopefully this pipe to sudo shell joke works as an eye opener to some.
Sure. Trust. But shell script at least gives easy means to have a glimpse what is it going to do.
As legitimate websites of software have been breached to serve infected packages (like CCleaner[1]) or otherwise fraudulent content (even kernel.org[2]), I always shudder a bit, when I see being asked to pipe something directly from curl to a (root) shell.
16 comments
[ 4.6 ms ] story [ 45.3 ms ] thread"I want to brand my next vulnerability. Can you make a logo for me?
Great idea! Please contact our sales department."
It's definitely not associated with the person who discovered the beep vuln:
"Holey Beep is a community-maintained project for the bug otherwise known as CVE-2018-0492. It is not associated with the Linux Foundation, nor with the original discoverer of this vulnerability. If you would like to contribute go to GitHub."
Strange.
"Debian Security Advisory DSA-4163-1 beep -- security update"
https://www.debian.org/security/2018/dsa-4163
I was looking at the patch that Debian shipped and it seems to me that there was some kind of a race condition when opening the console device multiple times, but I can't figure out the exact source of the problem.
As legitimate websites of software have been breached to serve infected packages (like CCleaner[1]) or otherwise fraudulent content (even kernel.org[2]), I always shudder a bit, when I see being asked to pipe something directly from curl to a (root) shell.
1. https://www.extremetech.com/internet/256238-ccleaner-infecti...
2. https://lwn.net/Articles/457142/