Debian Bug report logs - #931222
dosbox: CVE-2019-7165 CVE-2019-12594

version graph

Package: src:dosbox; Maintainer for src:dosbox is Stephen Kitt <skitt@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 28 Jun 2019 14:33:01 UTC

Severity: serious

Tags: fixed-upstream, security, upstream

Found in versions dosbox/0.74-4.2+deb9u1, dosbox/0.74-4, dosbox/0.74-2-3

Fixed in versions dosbox/0.74-2-3+deb10u1, dosbox/0.74-4.2+deb9u2, dosbox/0.74-3-1

Done: Stephen Kitt <skitt@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Stephen Kitt <skitt@debian.org>:
Bug#931222; Package src:dosbox. (Fri, 28 Jun 2019 14:33:04 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Stephen Kitt <skitt@debian.org>. (Fri, 28 Jun 2019 14:33:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dosbox: CVE-2019-7165 CVE-2019-12594
Date: Fri, 28 Jun 2019 16:31:52 +0200
Source: dosbox
Version: 0.74-2-3
Severity: important
Tags: security upstream
Control: found -1 0.74-4.2+deb9u1
Control: found -1 0.74-4

Hi,

The following vulnerabilities were published for dosbox.

> From https://www.dosbox.com/news.php?show_news=1
> 
> DOSBox 0.74-3 has been released!
> 
> A security release for DOSBox 0.74:
> 
>     Fixed that a very long line inside a bat file would overflow the
>     parsing buffer. (CVE-2019-7165 by Alexandre Bartel)

>     Added a basic permission system so that a program running inside
>     DOSBox can't access the contents of /proc (e.g. /proc/self/mem)
>     when / or /proc were (to be) mounted. (CVE-2019-12594 by Alexandre
>     Bartel)

>     Several other fixes for out of bounds access and buffer overflows.

>     Some fixes to the OpenGL rendering.
> 
> 
> The game compatibility should be identical to 0.74 and 0.74-2.
> It's recommended to use config -securemode when dealing with
> untrusted files.
> 
> 
> Ideally, 0.75 should have been released by now, but some bugs took a
> lot longer than expected.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-7165
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7165
[1] https://security-tracker.debian.org/tracker/CVE-2019-12594
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12594

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Marked as found in versions dosbox/0.74-4.2+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 28 Jun 2019 14:33:04 GMT) (full text, mbox, link).


Marked as found in versions dosbox/0.74-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 28 Jun 2019 14:33:04 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 28 Jun 2019 14:45:09 GMT) (full text, mbox, link).


Severity set to 'serious' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 08 Jul 2019 20:33:03 GMT) (full text, mbox, link).


Reply sent to Stephen Kitt <skitt@debian.org>:
You have taken responsibility. (Tue, 16 Jul 2019 21:09:14 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 16 Jul 2019 21:09:14 GMT) (full text, mbox, link).


Message #18 received at 931222-close@bugs.debian.org (full text, mbox, reply):

From: Stephen Kitt <skitt@debian.org>
To: 931222-close@bugs.debian.org
Subject: Bug#931222: fixed in dosbox 0.74-2-3+deb10u1
Date: Tue, 16 Jul 2019 21:05:43 +0000
Source: dosbox
Source-Version: 0.74-2-3+deb10u1

We believe that the bug you reported is fixed in the latest version of
dosbox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 931222@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <skitt@debian.org> (supplier of updated dosbox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 08 Jul 2019 09:15:40 +0200
Source: dosbox
Architecture: source
Version: 0.74-2-3+deb10u1
Distribution: buster-security
Urgency: medium
Maintainer: Stephen Kitt <skitt@debian.org>
Changed-By: Stephen Kitt <skitt@debian.org>
Closes: 931222
Changes:
 dosbox (0.74-2-3+deb10u1) buster-security; urgency=medium
 .
   * Apply upstream fixes for two security issues:
     - CVE-2019-7165: long lines in batch files would overflow the parsing
       buffer;
     - CVE-2019-12594: programs running inside DOSBox could access /proc.
     along with a number of buffer overrun fixes. Closes: #931222.
Checksums-Sha1:
 92683c016011e4df152f6f2e6d3fcde3fc81bb38 2006 dosbox_0.74-2-3+deb10u1.dsc
 3008694ef998853257c6a4cb5374229e157ceaf3 1324059 dosbox_0.74-2.orig.tar.gz
 cd12a4b35f2ff562c05f8bb3e2aa13a65bcf2782 94724 dosbox_0.74-2-3+deb10u1.debian.tar.xz
 3a3f656625a75079cfb0ae48bc0722f60d7d8b9b 10379 dosbox_0.74-2-3+deb10u1_source.buildinfo
Checksums-Sha256:
 4f312a2292a6f355f0a344dff0f406f76c461e53d96f157a976f3563b1ad735b 2006 dosbox_0.74-2-3+deb10u1.dsc
 7077303595bedd7cd0bb94227fa9a6b5609e7c90a3e6523af11bc4afcb0a57cf 1324059 dosbox_0.74-2.orig.tar.gz
 fe06d5f9dac6abdb25bc71f57b03c6a6d07ca15dab64016d449c23bacc428a00 94724 dosbox_0.74-2-3+deb10u1.debian.tar.xz
 94cdee3808b72726a605c5348a74ef40385408af8da794f7df1530ccebe60327 10379 dosbox_0.74-2-3+deb10u1_source.buildinfo
Files:
 2458c9d99b4402184391a7b7e6bd1efe 2006 otherosfs optional dosbox_0.74-2-3+deb10u1.dsc
 7110ee24a45a2b4951ad52eb1a3722be 1324059 otherosfs optional dosbox_0.74-2.orig.tar.gz
 62fa5eb5d7a28f48d19751082936c8fc 94724 otherosfs optional dosbox_0.74-2-3+deb10u1.debian.tar.xz
 7f40fef0c10da2128b462c1cad8dc0cd 10379 otherosfs optional dosbox_0.74-2-3+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAl0jrCQACgkQgNMC9Yht
g5yIPQ//fqflx1Ld+M9ImWTacLolf2ITyouBjKmb5EvBvZ0Gd1jFQDV2n7Yx3wAS
7BmUebNK1Uv2WFf47wuZ4FCm7KyahRIvl+d29aZ3PBf2++wtA4fpHWMf+x4HDWAF
JWL5s8H5LvBC2fZbQl1F0e6wbE2kv9njloIWnqil+R+X7MBRcRAHoZAyVFYD2c2v
cfOjIjz0GeroWp11kN3RUOGQn+eW6v49QdpUbL7mts42Hia0tLzViebOfMTYhTlt
T/V2V/FH0G82wDDV/dhyb6lvM0Y8Z1XGwerSXW7Tc1tR3/fDzqcb0DANhkHcmPRH
6zQoxISpHrVbWBH2hDG8ArACUNriglKN3FubYAaCcapeRHFofRAGZk9NPd31x07Y
tc2XNEftRoq/6lpqGGx3FVeWD7lV2dTr6C6hQq3ehySsuaPvY+VTtYypcH0VO+lu
5Uin1EDlAOShbJkxg9S65owe+z7sTBRQFECbDozfxMzb1iIjjtjqJ2M3cpjxSS44
1rXxtJQnrLsjfjQnT3YqKBKMUhLeQUYB1yZIwMIibPQ01dRlZB76lRoYbuTptnSL
+hgv3BqjBmd/cJq+FO0elaYkyv6YsulKurU4L5adgryBbWYdsxJzsgCnki0LTQYj
Bx4y2+SgtiYceTLIJjPb7k9PzGkphX22R3Xxxh6qIBfBXvPBx8Q=
=WNmz
-----END PGP SIGNATURE-----




Reply sent to Stephen Kitt <skitt@debian.org>:
You have taken responsibility. (Tue, 16 Jul 2019 21:33:09 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 16 Jul 2019 21:33:09 GMT) (full text, mbox, link).


Message #23 received at 931222-close@bugs.debian.org (full text, mbox, reply):

From: Stephen Kitt <skitt@debian.org>
To: 931222-close@bugs.debian.org
Subject: Bug#931222: fixed in dosbox 0.74-4.2+deb9u2
Date: Tue, 16 Jul 2019 21:32:32 +0000
Source: dosbox
Source-Version: 0.74-4.2+deb9u2

We believe that the bug you reported is fixed in the latest version of
dosbox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 931222@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <skitt@debian.org> (supplier of updated dosbox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 08 Jul 2019 08:53:37 +0200
Source: dosbox
Architecture: source
Version: 0.74-4.2+deb9u2
Distribution: stretch-security
Urgency: medium
Maintainer: Jan Dittberner <jandd@debian.org>
Changed-By: Stephen Kitt <skitt@debian.org>
Closes: 931222
Changes:
 dosbox (0.74-4.2+deb9u2) stretch-security; urgency=medium
 .
   * Apply upstream fixes for two security issues:
     - CVE-2019-7165: long lines in batch files would overflow the parsing
       buffer;
     - CVE-2019-12594: programs running inside DOSBox could access /proc.
     Closes: #931222.
Checksums-Sha1:
 78a77203947225bcf2d88e1917b242d45af69807 1941 dosbox_0.74-4.2+deb9u2.dsc
 2d99f0013350efb29b769ff19ddc8e4d86f4e77e 1265711 dosbox_0.74.orig.tar.gz
 fec2d24850ad873ceda2bad68d67a2eac4e12a93 95524 dosbox_0.74-4.2+deb9u2.debian.tar.xz
 053c0d45fee3c8fd703dca28eafc2d9ea841f39b 10360 dosbox_0.74-4.2+deb9u2_source.buildinfo
Checksums-Sha256:
 1fc34248fcb56f5423b747e732e7d743c9b85c5fca85c4e409e5d6a96335d4ec 1941 dosbox_0.74-4.2+deb9u2.dsc
 13f74916e2d4002bad1978e55727f302ff6df3d9be2f9b0e271501bd0a938e05 1265711 dosbox_0.74.orig.tar.gz
 9cab0ee4ed1d5e1ff8e31bfc569d20382d3fed0dc75bbfaa4a0a5695015ad34b 95524 dosbox_0.74-4.2+deb9u2.debian.tar.xz
 b11d772ed090cfbd6d5d7dffd40f584411d80d02ee1273de09ec8148564e5ef1 10360 dosbox_0.74-4.2+deb9u2_source.buildinfo
Files:
 95497978547768448ca53d2bec78c5a7 1941 otherosfs optional dosbox_0.74-4.2+deb9u2.dsc
 b9b240fa87104421962d14eee71351e8 1265711 otherosfs optional dosbox_0.74.orig.tar.gz
 e487cc6eba6a0a84a5c6880a634742f3 95524 otherosfs optional dosbox_0.74-4.2+deb9u2.debian.tar.xz
 1f5dfc04c8e36c33b4cd60a2f12e32ab 10360 otherosfs optional dosbox_0.74-4.2+deb9u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAl0jLUQACgkQgNMC9Yht
g5y0Ng//RH3pQOwIzue6ItLP6FBjGILOtzdEm5DLjSx46u/2sZ0v6fP9zXdIGmZh
ixZRWNLJV7lgFXdHX0vJNk3XG5WYjS4/FI0ThHbCdA5d9+XlvzqWLKD8fijuP7H9
U/T37Q9EpqZ9WP2Ej1R4bWq3NV0vPLUi7D356jR7ViQNSKYX1FaXNcr1ldfYhB1A
rgjLOup4JI1XhcKW1LMTX93Ot8soQY4+FjV2Z0bfl7IDl1av3RYgtbdiKtjIk9u3
yhYSCT3zfSFdYUwUzvTVSzYcEuhQPYuEq1qFbSLJ6kZSjydhbk60GxHOch92w7Ue
l47kPsVkjrAmcj/a82MCdkWh6D+nmfeIjRxqdC1GONQBWVY0s3zJHpH7kBjQG95I
TK67fTFQHFkuPkmCq1ng7PWmJ3T77sYyrUn3JuGrRMalONgcv2/KaA0o/YFKOjZV
yVNPvj/Dmmtbz/YgHgdxapnBqMmPYQ9IZl1Win7fJNp/6hbdmo9h5AxcHZ+QWTBL
IfDZ1DJJ0ByrGEfk09tGMyKMTQbtCUJq7TvaTQYFycAe33ydXQ0JdScWidComZ7X
9f4JQ3Hymb8MAYNlALgclWU46UMXSOLHV5HM81ptBAqsU/AWkJuhP/n0H0A/b+Bo
z5dAnMJ9iVjE46Q9mAQ8MB4C7Hhjh8wq52DzGsqCadZNr1sVOWo=
=ppOe
-----END PGP SIGNATURE-----




Reply sent to Stephen Kitt <skitt@debian.org>:
You have taken responsibility. (Thu, 18 Jul 2019 19:21:06 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 18 Jul 2019 19:21:06 GMT) (full text, mbox, link).


Message #28 received at 931222-close@bugs.debian.org (full text, mbox, reply):

From: Stephen Kitt <skitt@debian.org>
To: 931222-close@bugs.debian.org
Subject: Bug#931222: fixed in dosbox 0.74-3-1
Date: Thu, 18 Jul 2019 19:19:17 +0000
Source: dosbox
Source-Version: 0.74-3-1

We believe that the bug you reported is fixed in the latest version of
dosbox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 931222@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <skitt@debian.org> (supplier of updated dosbox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Jul 2019 20:55:50 +0200
Source: dosbox
Architecture: source
Version: 0.74-3-1
Distribution: unstable
Urgency: medium
Maintainer: Stephen Kitt <skitt@debian.org>
Changed-By: Stephen Kitt <skitt@debian.org>
Closes: 931222
Changes:
 dosbox (0.74-3-1) unstable; urgency=medium
 .
   * New upstream release, including security fixes:
     - CVE-2019-7165: long lines in batch files would overflow the parsing
       buffer;
     - CVE-2019-12594: programs running inside DOSBox could access /proc.
     Closes: #931222.
   * Switch to debhelper compatibility level 12.
Checksums-Sha1:
 5090675cfe7619c87ea35c6020615642136193ed 1980 dosbox_0.74-3-1.dsc
 1e1dd91d13c283fd5fc3104a3eac95bec7203dbc 1326339 dosbox_0.74-3.orig.tar.gz
 15f7b5601df8406bff9ad9e23a29cf3720ced073 89920 dosbox_0.74-3-1.debian.tar.xz
 dc58ba2c45cdfce0a9d782bac3a27131fada551a 10504 dosbox_0.74-3-1_source.buildinfo
Checksums-Sha256:
 6612b4eaa8c7e54bb25c4467d7385cd8248bbc0edc3dfa02a47a5877ce15c8c8 1980 dosbox_0.74-3-1.dsc
 c0d13dd7ed2ed363b68de615475781e891cd582e8162b5c3669137502222260a 1326339 dosbox_0.74-3.orig.tar.gz
 737735e6d582853bad8e52e916315175fde52c21d8df1ecae539f63df61f87f9 89920 dosbox_0.74-3-1.debian.tar.xz
 ee1899ea1afc88afa98ae318eb7bd3e31c6a20dfa31343f3a6bb00382398ffdc 10504 dosbox_0.74-3-1_source.buildinfo
Files:
 a83b82c2591ac83849517eadec1f4197 1980 otherosfs optional dosbox_0.74-3-1.dsc
 759c75fffb59c542f80fb8391012911b 1326339 otherosfs optional dosbox_0.74-3.orig.tar.gz
 2b2cdc6bc0531548e4c5c0476a4ec92c 89920 otherosfs optional dosbox_0.74-3-1.debian.tar.xz
 63d57d5ba4b50aa7767ce7df660f8247 10504 otherosfs optional dosbox_0.74-3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAl0wwMMACgkQgNMC9Yht
g5zdyw//VZQONuTGxbXVyyyxUxdnidKYnrs/IOOh+2GcLGpLokx7ziA7Vu8SMrRP
4Juk8BEniY729eM9cxYB321nYN2APMeUeLwad5x5xrgrP4SxPffjjTMBi1mdjXWd
OeD3obkHA7B7YO3W0f646RGwyFKisIWoq4BgIXKrfltKGrmDDWkLzpUlKLChfzwk
fAft6NZIfw6f0oHj+zaWhRg9oCtfn+MkaKOIfZ5uMVllP7tTHY9gsXSzSxMelUBu
Mo4OCghtCPbwYgdVkwafaZtciM5W0vskmakvdlhYUrX1d6O/pFMnCFZr/TGvB5YJ
BOV/QYvYx61zZ663i77KKLE6eUpxnB93C1+GGLDsWx5f8VVIQHKdOgBzAcm/QMq9
wv3hAY9ydm25VkAaAPkWmRB17uQIrxf/Q1rWPSFXa28960cGlqxSF6l/bXzpHNUu
3apa8adJQURlRaGgDO0ti4git0/BQIwO0iFYxS65hyxEZyedTNF8jtwvYP6bXm+C
TgDGaapqVAYKSQrVg26LIQFc+zHV6UEI+I8bviCfCU+I8kNIXY0uRAXpqNDU1Ibw
fGlJlOSMhK7eR6348wIT5kP9v//oJTCG+b5IMdv6Qjt3Oz/VuHBiK7joET6alrCh
PZLgS/0ipDLpDQBc2ASS4BbvLzJHrrFvT36wDuKKIUSC/k4zcjk=
=2GPn
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Sep 2019 07:27:30 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 02:23:30 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.