Bug 25013

Summary: dosbox new security issues CVE-2019-7165 and CVE-2019-12594
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lists.jjorge, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO MGA6-32-OK MGA7-32-OK
Source RPM: dosbox-0.74.2-3.mga7.src.rpm CVE:
Status comment: Fixed upstream in 0.74-3

Description David Walser 2019-06-27 14:03:39 CEST 
DOSBox 0.74-3 has been released on June 26:
https://www.dosbox.com/

It fixes several security issues.

Mageia 6 is also affected.
David Walser 2019-06-27 14:03:55 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO
Status comment: (none) => Fixed upstream in 0.74-3

Comment 1 Lewis Smith 2019-06-28 17:57:19 CEST 
I think this is for you, José.

Assignee: bugsquad => lists.jjorge
CC: (none) => lewyssmith

Comment 2 José Jorge 2019-06-29 14:46:20 CEST 
Waiting for MGA7 release to push to testing. Pushed to MGA6.
Comment 3 José Jorge 2019-06-29 15:02:11 CEST 
Update in testing for MGA6.

Suggested advisory:
Dosbox 0.74-3 is a security release:
* Fixed that a very long line inside a bat file would overflow the parsing buffer. (CVE-2019-7165 by Alexandre Bartel)
* Added a basic permission system so that a program running inside DOSBox can't access the contents of /proc (e.g. /proc/self/mem) when / or /proc were (to be) mounted. (CVE-2019-12594 by Alexandre Bartel)

It also brings several other fixes for out of bounds access and buffer overflows, and some fixes to the OpenGL rendering.

The game compatibility should be identical to 0.74 and 0.74-2.
It's recommended to use config -securemode when dealing with untrusted files. 

Only one RPM and SRPM :
dosbox-0.74.3-1.mga6.*.*rpm

Assignee: lists.jjorge => qa-bugs
Status: NEW => ASSIGNED

José Jorge 2019-06-29 15:02:44 CEST

CC: (none) => lists.jjorge

Comment 4 José Jorge 2019-06-29 17:53:34 CEST 
Submitted to Cauldron and MGA7, changing whiteboard accordingly

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Lewis Smith 2019-06-30 20:34:04 CEST

CC: lewyssmith => (none)

Comment 5 Herman Viaene 2019-07-01 11:04:51 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
At CLI:
$ dosbox 
Locale detected:	nl
Locale file to use:	dosbox-0.74-nl.lng
DOSBox version 0.74-3
Copyright 2002-2019 DOSBox Team, published under GNU GPL.
---
CONFIG: Generating default configuration.
Writing it to /home/tester6/.dosbox/dosbox-0.74-3.conf
CONFIG:Loading primary settings from config file /home/tester6/.dosbox/dosbox-0.74-3.conf
MIXER:Got different values from SDL: freq 44100, blocksize 512
ALSA:Can't subscribe to MIDI port (65:0) nor (17:0)
MIDI:Opened device:none

I could exercize some DOS commands dir, cd, info, config. So basically works OK.

Whiteboard: MGA6TOO => MGA6TOO, MGA6-32-OK
CC: (none) => herman.viaene

Comment 6 Herman Viaene 2019-07-01 11:40:43 CEST 
Same exercize for MGA7, OK for me.

Whiteboard: MGA6TOO, MGA6-32-OK => MGA6TOO, MGA6-32-OK, MGA7-32-OK

David Walser 2019-07-01 13:24:35 CEST

Whiteboard: MGA6TOO, MGA6-32-OK, MGA7-32-OK => MGA6TOO MGA6-32-OK MGA7-32-OK

Comment 7 Rémi Verschelde 2019-07-10 11:44:26 CEST 
Advisory uploaded, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2019-07-10 12:45:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0205.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2019-08-12 00:31:44 CEST 
Debian advisory from July 10, for reference:
https://www.debian.org/security/2019/dsa-4478