Bug 425101 (CVE-2007-6328)

Summary: CVE-2007-6328 dosbox: access to filesystem of host system
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Andreas Bierfert <andreas.bierfert>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6328
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-17 17:28:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2007-12-14 16:15:23 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6328 to the following vulnerability:

** DISPUTED **  DOSBox 0.72 and earlier allows local users to obtain access to the filesystem on the host operating system via the mount command.  NOTE: the researcher reports a vendor response stating that this is not a security problem.

References:

http://www.securityfocus.com/archive/1/archive/1/484835/100/0/threaded
http://aluigi.org/poc/dosboxxx.zip
http://www.frsirt.com/english/advisories/2007/4170
http://xforce.iss.net/xforce/xfdb/38970
Comment 1 Tomas Hoger 2007-12-14 16:28:02 UTC 
Allowing uncontrolled access to filesystem outside of the emulated DOS system
seems to be a design decision for DOSBox, even though it may not be common for
other emulators / virtualization solution.  Given upstream statement mentioned
in original report, this probably won't get changed soon.

Andreas, have you possibly heard some other feedback from DOSBox community about
this announcement?
Comment 2 Andreas Bierfert 2007-12-15 08:53:03 UTC 
No I have to. But from reading through the report this is nothing new imho.
DOSBox  has allowed this for a long time. The assessment of it being a potential
risk is right _but_ it is not like a hidden magic feature but clear from design
so I would say that this is nothing we have to worry about for now.
Comment 3 Tomas Hoger 2007-12-17 17:28:38 UTC 
Given this is design decision and upstream does not seem to change this any time
soon, I'm closing this as WONTFIX.  If upstream decision is changed in the
future, we will likely follow shortly after by moving to new upstream release,
but it does not seem to make sense to do fork at the moment.