Description of problem: New version of DOSBox has been released, covers a few CVE also DOSBox 0.74-3 has been released! A security release for DOSBox 0.74: Fixed that a very long line inside a bat file would overflow the parsing buffer. (CVE-2019-7165 by Alexandre Bartel) Added a basic permission system so that a program running inside DOSBox can't access the contents of /proc (e.g. /proc/self/mem) when / or /proc were (to be) mounted. (CVE-2019-12594 by Alexandre Bartel) Several other fixes for out of bounds access and buffer overflows. Some fixes to the OpenGL rendering. Many thanks
Thanks for the report. We will have a look.
Please note, that this is a bugfix update fixing 2 CVEs. It should be released also to Fedora 29 and RHEL (not only Fedora 30). Flathub and other distributions (e.g. Arch) are already shipping this bugfix update. Can we get some ETA on this?
Please understand that packaging DOSBox is done on our free time and as such there is no ETA. As I mentioned before I am looking at updating to 0.74-3.
FEDORA-2019-6b86d0f1c0 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b86d0f1c0
FEDORA-2019-32f7cd9b66 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-32f7cd9b66
FEDORA-EPEL-2019-12067fc897 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897
DOSBox has been updated for rawhide and all stable branches since upstream mentions "The game compatibility should be identical to 0.74 and 0.74-2": https://sourceforge.net/p/dosbox/news/2019/06/dosbox-074-3-has-been-released/ Please test and leave karma on bodhi.
dosbox-0.74.3-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897
dosbox-0.74.3-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6b86d0f1c0
dosbox-0.74.3-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-32f7cd9b66
Hi Simon, Patryk, dosbox-0.74.3-2 should hit updates-testing mirrors soon. Please test and leave karma on bodhi (links above).
dosbox-0.74.3-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Hi hfk, would you be so kind to test and provide karma to the EPEL7 update: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897
After installing this RPM the scaler function no longer works. I downgraded the RPM to version dosbox-0.74.2-3.fc30.x86_64 and the scaler function was working again. Was this expected based on the CVE? -- Stefan Christensen
I can't confirm this problem - for me, all scalers I tested are working as expected in DOSBox 0.74-3. Tested scalers: `normal2x`, `normal3x`, `normal2x forced`, `hq3x`, `rgb3x`, `rgb2x forced` in a number of games, using `sdl.output=opengl` (I am using steam-dos 0.4.2 to invoke dosbox). AFAIK CVE fixes were in no way connected to any update to scaler implementation. @Stefan what `sdl.output`, scaler and game are you testing?
Closing as dosbox-0.74.3-2.fc30 has been pushed. Stefan, if you'd like to provide the information Patryk has asked for, please open a new bug.
For people finding this issue via search engines in the future: problems like this one are likely caused by users' personal configuration in ~/.dosbox dir. DOSBox generates *new* user configuration file after each update - so if you modified your settings in ~/.dosbox/dosbox-74-2.conf, a new file will be created for version 0.74-3.
dosbox-0.74.3-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.