http://aluigi.altervista.org/adv/dosboxxx-adv.txt I would't dismiss this issue so lightly as the authors of dosbox. Doing mount c: ~/ and then going on killing the user data from within a malicious dos application or batch file is a very simple task. At the very least a post install warning is in order, imho.
this isn't a security issue.
When applications can freely modify data outside of the emulator, it is a security issue.
CVE-2007-6328 (** DISPUTED ** ...) NOTE: DOSBox emulation is not a security feature and this CVE describes NOTE: a design decision. What's the difference between this and starting any other process with a user's privileges? I don't consider this to be an issue, and seeing that upstream will not provide patches, I also would not know how to patch it, except for deviating from their code.
This is a feature, not a bug. Fedora is not going to consider this a security issue either.
(In reply to comment #3) > What's the difference between this and starting any other process with a user's > privileges? The difference is that you expect an emulator (or virtual machine) to be a closed box, guarding the host from anything run inside of it, configured allowed access excepted.
(In reply to comment #5) > (In reply to comment #3) > > What's the difference between this and starting any other process with a user's > > privileges? > > The difference is that you expect an emulator (or virtual machine) to be a > closed box, guarding the host from anything run inside of it, configured > allowed access excepted. Not actually. You can't really expect a virtual machine to allow only explicitly configured access to outside resources -- this applies only to a subset of virtual machines. What decides it what is documented. This behavior of DOSBox is the first thing documented at the beginning of the README and described on the screen once you launch it. I really can't imagine a kind of person that would expect dosbox to disallow access to host filesystem as it's the only way can dosbox access the programs that are expected to run and is absolutely needed to do even the most basic tasks in dosbox.
On the Gentoo side: adding a little warning about that wouldn't hurt. Some users may not realize that a program executed into dosbox may mount directories and have access to any directory outside the one they specified when launching dosbox. On the upstream side: IMO dosbox should have a secure mode restricting the use of mount and others dangerous commands if any. Anyway, I don't think this is such a security problem.
(In reply to comment #7) > On the Gentoo side: adding a little warning about that wouldn't hurt. Some > users may not realize that a program executed into dosbox may mount directories > and have access to any directory outside the one they specified when launching > dosbox. Games, can you include the warning so this bug can be closed?
No thanks. It's a feature of dosbox. Please just go ahead and close this bug. It's based on wrong understanding in the first place. There's nothing to see here.
And who doesn't like "features"? -- closing
