Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 704414 (CVE-2019-12594, CVE-2019-7165) - <games-emulation/dosbox-0.74.3: Multiple vulnerabilities (CVE-2019-7165, CVE-2019-12594)
Summary: <games-emulation/dosbox-0.74.3: Multiple vulnerabilities (CVE-2019-7165, CVE-...
Status: RESOLVED FIXED
Alias: CVE-2019-12594, CVE-2019-7165
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 704767
Blocks:
  Show dependency tree
 
Reported: 2020-01-01 10:13 UTC by Esteve Varela Colominas
Modified: 2020-03-26 19:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Esteve Varela Colominas 2020-01-01 10:13:42 UTC
https://www.dosbox.com/news.php?show_news=1

Wednesday, June 26th, 2019 - Qbix 

DOSBox 0.74-3 has been released!

A security release for DOSBox 0.74:

    Fixed that a very long line inside a bat file would overflow the parsing buffer. (CVE-2019-7165 by Alexandre Bartel)
    Added a basic permission system so that a program running inside DOSBox can't access the contents of /proc (e.g. /proc/self/mem) when / or /proc were (to be) mounted. (CVE-2019-12594 by Alexandre Bartel)
    Several other fixes for out of bounds access and buffer overflows.
    Some fixes to the OpenGL rendering.


The game compatibility should be identical to 0.74 and 0.74-2.
It's recommended to use config -securemode when dealing with untrusted files.


---


I don't know if this patch is already applied in gentoo, but going by the patch version date (currently 2016-06-29) that doesn't seem to be the case.
Comment 1 James Le Cuirot gentoo-dev 2020-01-01 11:36:13 UTC
When I looked at bumping to 0.74-3 at the time, I found it was mostly older than what we already have because it was cut from a branch rather than trunk. There are some changes that we are missing but on balance, I felt it was better to wait for 0.75. Unfortunately that has been a long time coming. I agree that we probably do not have these security patches so I will look into applying them. We could take a new snapshot but it's always hard to tell whether it will be a good one on any given day. I'd rather wait for the next release.
Comment 2 James Le Cuirot gentoo-dev 2020-01-01 12:22:53 UTC
Hmmm on second thoughts, I now see it's more than just those two CVEs I would need to patch against. Perhaps I should do both a 0.74-3 and new snapshot ebuild. The former will have to do without Glide support as the patch won't apply.
Comment 3 Larry the Git Cow gentoo-dev 2020-01-01 22:56:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26934bf2b1ca06f45df3f6f51c05f6bd2196dfbe

commit 26934bf2b1ca06f45df3f6f51c05f6bd2196dfbe
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2020-01-01 22:36:25 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2020-01-01 22:56:10 +0000

    games-emulation/dosbox: Drop old and vulnerable 0.74_p20160629-r3
    
    Bug: https://bugs.gentoo.org/704414
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 games-emulation/dosbox/Manifest                    |  1 -
 .../dosbox/dosbox-0.74_p20160629-r3.ebuild         | 75 ----------------------
 .../dosbox/files/dosbox-0.74.2_events.patch        | 37 -----------
 3 files changed, 113 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4b21c579680b27f1a80d7c86408d659a36a6b7b

commit f4b21c579680b27f1a80d7c86408d659a36a6b7b
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2020-01-01 22:33:36 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2020-01-01 22:56:06 +0000

    games-emulation/dosbox: New trunk snapshot to address vulnerabilities
    
    Bug: https://bugs.gentoo.org/704414
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 games-emulation/dosbox/Manifest                   |  1 +
 games-emulation/dosbox/dosbox-0.75_pre4302.ebuild | 86 +++++++++++++++++++++++
 2 files changed, 87 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbf26e890327dabc3a96b1b7aa2ce98a6424aeb2

commit cbf26e890327dabc3a96b1b7aa2ce98a6424aeb2
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2020-01-01 13:56:15 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2020-01-01 22:56:03 +0000

    games-emulation/dosbox: Add version 0.74.3
    
    Despite being released in 2019, this is actually older than our 2016
    snapshot in some respects as it was not cut from trunk. It does
    include important security fixes though. It does not include Glide
    support as that will not build.
    
    Bug: https://bugs.gentoo.org/704414
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 games-emulation/dosbox/Manifest             |  1 +
 games-emulation/dosbox/dosbox-0.74.3.ebuild | 68 +++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
Comment 4 James Le Cuirot gentoo-dev 2020-01-01 23:00:50 UTC
I've added both versions and dropped one of the old vulnerable versions but the old stable version remains for now. The idea is that we'll stabilise 0.74.3 as I don't want to stabilise a pre-release snapshot that has hardly had any time to soak. Let's give 0.74.3 a few days first though and I'd like to try and address bug #701688 first.
Comment 5 Larry the Git Cow gentoo-dev 2020-01-05 20:58:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b2a38c07085789e66ef3301403ede20b02e0719

commit 5b2a38c07085789e66ef3301403ede20b02e0719
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2020-01-05 20:57:43 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2020-01-05 20:57:43 +0000

    games-emulation/dosbox: Drop old and vulnerable 0.74_p20160629
    
    Bug: https://bugs.gentoo.org/704414
    Closes: https://bugs.gentoo.org/701688
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 games-emulation/dosbox/Manifest                    |  1 -
 .../dosbox/dosbox-0.74_p20160629.ebuild            | 52 ----------------------
 .../dosbox/files/dosbox-0.74-gcc46.patch           | 10 -----
 3 files changed, 63 deletions(-)
Comment 6 James Le Cuirot gentoo-dev 2020-01-05 20:59:37 UTC
Just noticed this wasn't a proper security bug.

I've dropped the vulnerable version now. Security team, please do your thing.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 18:49:09 UTC
Tree is clean.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-26 19:05:02 UTC
GLSA Vote: No

Repository is clean, all done!