Bug 1725365

Summary: New DOSBox release
Product: [Fedora] Fedora Reporter: Simon Putt <lemonzest>
Component: dosboxAssignee: François Cami <fdc>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: andreas.bierfert, dreamer.tan+fedora, fdc, hfk, stefanchristensen77
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dosbox-0.74.3-2.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-07 16:08:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Simon Putt 2019-06-30 07:50:52 UTC
Description of problem:

New version of DOSBox has been released, covers a few CVE also


DOSBox 0.74-3 has been released!

A security release for DOSBox 0.74:
Fixed that a very long line inside a bat file would overflow the parsing buffer. (CVE-2019-7165 by Alexandre Bartel)
Added a basic permission system so that a program running inside DOSBox can't access the contents of /proc (e.g. /proc/self/mem) when / or /proc were (to be) mounted. (CVE-2019-12594 by Alexandre Bartel)
Several other fixes for out of bounds access and buffer overflows.
Some fixes to the OpenGL rendering.

Many thanks

Comment 1 François Cami 2019-06-30 08:34:16 UTC
Thanks for the report. We will have a look.

Comment 2 Patryk Obara 2019-07-02 15:09:03 UTC
Please note, that this is a bugfix update fixing 2 CVEs. It should be released also to Fedora 29 and RHEL (not only Fedora 30).

Flathub and other distributions (e.g. Arch) are already shipping this bugfix update. Can we get some ETA on this?

Comment 3 François Cami 2019-07-04 21:26:27 UTC
Please understand that packaging DOSBox is done on our free time and as such there is no ETA.
As I mentioned before I am looking at updating to 0.74-3.

Comment 4 Fedora Update System 2019-07-04 22:00:15 UTC
FEDORA-2019-6b86d0f1c0 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b86d0f1c0

Comment 5 Fedora Update System 2019-07-04 22:01:34 UTC
FEDORA-2019-32f7cd9b66 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-32f7cd9b66

Comment 6 Fedora Update System 2019-07-04 22:02:49 UTC
FEDORA-EPEL-2019-12067fc897 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897

Comment 7 François Cami 2019-07-04 22:06:14 UTC
DOSBox has been updated for rawhide and all stable branches since upstream mentions "The game compatibility should be identical to 0.74 and 0.74-2":
https://sourceforge.net/p/dosbox/news/2019/06/dosbox-074-3-has-been-released/

Please test and leave karma on bodhi.

Comment 8 Fedora Update System 2019-07-05 00:07:10 UTC
dosbox-0.74.3-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897

Comment 9 Fedora Update System 2019-07-05 00:46:06 UTC
dosbox-0.74.3-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b86d0f1c0

Comment 10 Fedora Update System 2019-07-05 02:07:53 UTC
dosbox-0.74.3-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-32f7cd9b66

Comment 11 François Cami 2019-07-05 11:15:22 UTC
Hi Simon, Patryk, dosbox-0.74.3-2 should hit updates-testing mirrors soon.
Please test and leave karma on bodhi (links above).

Comment 12 Fedora Update System 2019-07-08 01:08:58 UTC
dosbox-0.74.3-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 François Cami 2019-07-10 14:23:33 UTC
Hi hfk, would you be so kind to test and provide karma to the EPEL7 update: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897

Comment 14 Stefan Christensen 2019-07-14 17:42:10 UTC
After installing this RPM the scaler function no longer works.

I downgraded the RPM to version dosbox-0.74.2-3.fc30.x86_64 and the scaler function was working again.

Was this expected based on the CVE?

--
Stefan Christensen

Comment 15 Patryk Obara 2019-07-15 12:50:19 UTC
I can't confirm this problem - for me, all scalers I tested are working as expected in DOSBox 0.74-3. Tested scalers: `normal2x`, `normal3x`, `normal2x forced`, `hq3x`, `rgb3x`, `rgb2x forced` in a number of games, using `sdl.output=opengl` (I am using steam-dos 0.4.2 to invoke dosbox).

AFAIK CVE fixes were in no way connected to any update to scaler implementation.

@Stefan what `sdl.output`, scaler and game are you testing?

Comment 16 François Cami 2019-11-07 16:08:20 UTC
Closing as dosbox-0.74.3-2.fc30 has been pushed.
Stefan, if you'd like to provide the information Patryk has asked for, please open a new bug.

Comment 17 Patryk Obara 2019-11-07 18:47:26 UTC
For people finding this issue via search engines in the future: problems like this one are likely caused by users' personal configuration in ~/.dosbox dir. DOSBox generates *new* user configuration file after each update - so if you modified your settings in ~/.dosbox/dosbox-74-2.conf, a new file will be created for version 0.74-3.

Comment 18 Fedora Update System 2019-11-09 21:17:18 UTC
dosbox-0.74.3-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.