https://www.dosbox.com/news.php?show_news=1 Wednesday, June 26th, 2019 - Qbix DOSBox 0.74-3 has been released! A security release for DOSBox 0.74: Fixed that a very long line inside a bat file would overflow the parsing buffer. (CVE-2019-7165 by Alexandre Bartel) Added a basic permission system so that a program running inside DOSBox can't access the contents of /proc (e.g. /proc/self/mem) when / or /proc were (to be) mounted. (CVE-2019-12594 by Alexandre Bartel) Several other fixes for out of bounds access and buffer overflows. Some fixes to the OpenGL rendering. The game compatibility should be identical to 0.74 and 0.74-2. It's recommended to use config -securemode when dealing with untrusted files. --- I don't know if this patch is already applied in gentoo, but going by the patch version date (currently 2016-06-29) that doesn't seem to be the case.
When I looked at bumping to 0.74-3 at the time, I found it was mostly older than what we already have because it was cut from a branch rather than trunk. There are some changes that we are missing but on balance, I felt it was better to wait for 0.75. Unfortunately that has been a long time coming. I agree that we probably do not have these security patches so I will look into applying them. We could take a new snapshot but it's always hard to tell whether it will be a good one on any given day. I'd rather wait for the next release.
Hmmm on second thoughts, I now see it's more than just those two CVEs I would need to patch against. Perhaps I should do both a 0.74-3 and new snapshot ebuild. The former will have to do without Glide support as the patch won't apply.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26934bf2b1ca06f45df3f6f51c05f6bd2196dfbe commit 26934bf2b1ca06f45df3f6f51c05f6bd2196dfbe Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2020-01-01 22:36:25 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2020-01-01 22:56:10 +0000 games-emulation/dosbox: Drop old and vulnerable 0.74_p20160629-r3 Bug: https://bugs.gentoo.org/704414 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: James Le Cuirot <chewi@gentoo.org> games-emulation/dosbox/Manifest | 1 - .../dosbox/dosbox-0.74_p20160629-r3.ebuild | 75 ---------------------- .../dosbox/files/dosbox-0.74.2_events.patch | 37 ----------- 3 files changed, 113 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4b21c579680b27f1a80d7c86408d659a36a6b7b commit f4b21c579680b27f1a80d7c86408d659a36a6b7b Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2020-01-01 22:33:36 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2020-01-01 22:56:06 +0000 games-emulation/dosbox: New trunk snapshot to address vulnerabilities Bug: https://bugs.gentoo.org/704414 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: James Le Cuirot <chewi@gentoo.org> games-emulation/dosbox/Manifest | 1 + games-emulation/dosbox/dosbox-0.75_pre4302.ebuild | 86 +++++++++++++++++++++++ 2 files changed, 87 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbf26e890327dabc3a96b1b7aa2ce98a6424aeb2 commit cbf26e890327dabc3a96b1b7aa2ce98a6424aeb2 Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2020-01-01 13:56:15 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2020-01-01 22:56:03 +0000 games-emulation/dosbox: Add version 0.74.3 Despite being released in 2019, this is actually older than our 2016 snapshot in some respects as it was not cut from trunk. It does include important security fixes though. It does not include Glide support as that will not build. Bug: https://bugs.gentoo.org/704414 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: James Le Cuirot <chewi@gentoo.org> games-emulation/dosbox/Manifest | 1 + games-emulation/dosbox/dosbox-0.74.3.ebuild | 68 +++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+)
I've added both versions and dropped one of the old vulnerable versions but the old stable version remains for now. The idea is that we'll stabilise 0.74.3 as I don't want to stabilise a pre-release snapshot that has hardly had any time to soak. Let's give 0.74.3 a few days first though and I'd like to try and address bug #701688 first.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b2a38c07085789e66ef3301403ede20b02e0719 commit 5b2a38c07085789e66ef3301403ede20b02e0719 Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2020-01-05 20:57:43 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2020-01-05 20:57:43 +0000 games-emulation/dosbox: Drop old and vulnerable 0.74_p20160629 Bug: https://bugs.gentoo.org/704414 Closes: https://bugs.gentoo.org/701688 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: James Le Cuirot <chewi@gentoo.org> games-emulation/dosbox/Manifest | 1 - .../dosbox/dosbox-0.74_p20160629.ebuild | 52 ---------------------- .../dosbox/files/dosbox-0.74-gcc46.patch | 10 ----- 3 files changed, 63 deletions(-)
Just noticed this wasn't a proper security bug. I've dropped the vulnerable version now. Security team, please do your thing.
Tree is clean.
GLSA Vote: No Repository is clean, all done!