beep-1.4.1

beep-1.4.1 is a bugfix release:

• Safer signal handlers (safe_error_exit() without global variables).
• Reduce accepted range of input numbers. 5 minute beeps should still be enough.

beep-1.4.0

The beep-1.4.0 release tries to revive the beep software. There have been no commits to the former upstream since 2013, and with the two CVEs in 2018 that needed to change.

Packagers beware: Please read PACKAGING.md for the very different (and much better) new way of device access.

First and foremost, beep-1.4.0 fixes CVE-2018-0492 and CVE-2018-1000532. The beep command now by default tries /dev/input/by-path/platform-pcspkr-event-spkr which allows arbitrary users beep access by allowing those arbitrary users file write access. The procedures to do that are now well documented in INSTALL.md and PERMISSIONS.md. There is no need for setuid-root or sudo any more, and due to the experiences with the two 2018 CVEs, beep will even refuse to run when it detects being run setuid or via sudo.

A few smaller things have also been changed. Quoting the CHANGELOG:

• Fix CVE-2018-1000532 External Control of File Name or Path vulnerability in --device option
• Fix CVE-2018-0492 race condition that allows local privilege escalation
• Make /dev/input/by-path/platform-pcspkr-event-spkr the default device to use
  as the system administrator can allow access to that without needing any
  priviledge escalation risks via setuid or sudo.
• Adapt --help output, beep.1 man page, README.md, INSTALL.md to reflect the new device use.
• Add basic suite of tests.
• Constrained a few integers to avoid integer overflows.
• Only issue fallback '\a' type beeps if that '\a' actually goes to a tty device
  which can actually beep
• Stop promoting floating point frequencies which no Kernel API can even use