Hello.
After analysis of the diff it in unclear what exactly the race condition
bug is and how it would constitute a privileged escalation.
Please could somebody provide an explanation of what the race condition
is, and how it is a security issue rather than just being a regular bug.
so we can understand why the patch fixes it.
It seems that open/closing the console_device (set with -e) was done
repeatedly in the -n case. It's possible that the race in question would
be triggered if a SIGINT or SIGTERM was sent at the right time (which
time)? possibly causing a double free. As the beep program just performs
ioctl or writes a very simple struct to an fd it does not seem there is
enough attacker control to actually do any sort of code execution with
beep.
So this may not really be a security issue, just a minor improvement in
the code. I welcome being corrected though.
(Note: we have looked at the satire website about the bug
https://holeybeep.ninja and it does not provide any technical details of
interest)
Cheers!