Bug 1725365 - New DOSBox release
Summary: New DOSBox release
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: dosbox
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: François Cami
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-30 07:50 UTC by Simon Putt
Modified: 2019-11-09 21:17 UTC (History)
5 users (show)

Fixed In Version: dosbox-0.74.3-2.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-07 16:08:20 UTC


Attachments (Terms of Use)

Description Simon Putt 2019-06-30 07:50:52 UTC
Description of problem:

New version of DOSBox has been released, covers a few CVE also


DOSBox 0.74-3 has been released!

A security release for DOSBox 0.74:
Fixed that a very long line inside a bat file would overflow the parsing buffer. (CVE-2019-7165 by Alexandre Bartel)
Added a basic permission system so that a program running inside DOSBox can't access the contents of /proc (e.g. /proc/self/mem) when / or /proc were (to be) mounted. (CVE-2019-12594 by Alexandre Bartel)
Several other fixes for out of bounds access and buffer overflows.
Some fixes to the OpenGL rendering.

Many thanks

Comment 1 François Cami 2019-06-30 08:34:16 UTC
Thanks for the report. We will have a look.

Comment 2 Patryk Obara 2019-07-02 15:09:03 UTC
Please note, that this is a bugfix update fixing 2 CVEs. It should be released also to Fedora 29 and RHEL (not only Fedora 30).

Flathub and other distributions (e.g. Arch) are already shipping this bugfix update. Can we get some ETA on this?

Comment 3 François Cami 2019-07-04 21:26:27 UTC
Please understand that packaging DOSBox is done on our free time and as such there is no ETA.
As I mentioned before I am looking at updating to 0.74-3.

Comment 4 Fedora Update System 2019-07-04 22:00:15 UTC
FEDORA-2019-6b86d0f1c0 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b86d0f1c0

Comment 5 Fedora Update System 2019-07-04 22:01:34 UTC
FEDORA-2019-32f7cd9b66 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-32f7cd9b66

Comment 6 Fedora Update System 2019-07-04 22:02:49 UTC
FEDORA-EPEL-2019-12067fc897 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897

Comment 7 François Cami 2019-07-04 22:06:14 UTC
DOSBox has been updated for rawhide and all stable branches since upstream mentions "The game compatibility should be identical to 0.74 and 0.74-2":
https://sourceforge.net/p/dosbox/news/2019/06/dosbox-074-3-has-been-released/

Please test and leave karma on bodhi.

Comment 8 Fedora Update System 2019-07-05 00:07:10 UTC
dosbox-0.74.3-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897

Comment 9 Fedora Update System 2019-07-05 00:46:06 UTC
dosbox-0.74.3-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b86d0f1c0

Comment 10 Fedora Update System 2019-07-05 02:07:53 UTC
dosbox-0.74.3-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-32f7cd9b66

Comment 11 François Cami 2019-07-05 11:15:22 UTC
Hi Simon, Patryk, dosbox-0.74.3-2 should hit updates-testing mirrors soon.
Please test and leave karma on bodhi (links above).

Comment 12 Fedora Update System 2019-07-08 01:08:58 UTC
dosbox-0.74.3-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 François Cami 2019-07-10 14:23:33 UTC
Hi hfk, would you be so kind to test and provide karma to the EPEL7 update: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897

Comment 14 Stefan Christensen 2019-07-14 17:42:10 UTC
After installing this RPM the scaler function no longer works.

I downgraded the RPM to version dosbox-0.74.2-3.fc30.x86_64 and the scaler function was working again.

Was this expected based on the CVE?

--
Stefan Christensen

Comment 15 Patryk Obara 2019-07-15 12:50:19 UTC
I can't confirm this problem - for me, all scalers I tested are working as expected in DOSBox 0.74-3. Tested scalers: `normal2x`, `normal3x`, `normal2x forced`, `hq3x`, `rgb3x`, `rgb2x forced` in a number of games, using `sdl.output=opengl` (I am using steam-dos 0.4.2 to invoke dosbox).

AFAIK CVE fixes were in no way connected to any update to scaler implementation.

@Stefan what `sdl.output`, scaler and game are you testing?

Comment 16 François Cami 2019-11-07 16:08:20 UTC
Closing as dosbox-0.74.3-2.fc30 has been pushed.
Stefan, if you'd like to provide the information Patryk has asked for, please open a new bug.

Comment 17 Patryk Obara 2019-11-07 18:47:26 UTC
For people finding this issue via search engines in the future: problems like this one are likely caused by users' personal configuration in ~/.dosbox dir. DOSBox generates *new* user configuration file after each update - so if you modified your settings in ~/.dosbox/dosbox-74-2.conf, a new file will be created for version 0.74-3.

Comment 18 Fedora Update System 2019-11-09 21:17:18 UTC
dosbox-0.74.3-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.