Your message dated Tue, 16 Jul 2019 21:05:43 +0000 with message-id <e1hnudr-0007td...@fasolo.debian.org> and subject line Bug#931222: fixed in dosbox 0.74-2-3+deb10u1 has caused the Debian Bug report #931222, regarding dosbox: CVE-2019-7165 CVE-2019-12594 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 931222: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931222 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: dosbox Version: 0.74-2-3 Severity: important Tags: security upstream Control: found -1 0.74-4.2+deb9u1 Control: found -1 0.74-4 Hi, The following vulnerabilities were published for dosbox. > From https://www.dosbox.com/news.php?show_news=1 > > DOSBox 0.74-3 has been released! > > A security release for DOSBox 0.74: > > Fixed that a very long line inside a bat file would overflow the > parsing buffer. (CVE-2019-7165 by Alexandre Bartel) > Added a basic permission system so that a program running inside > DOSBox can't access the contents of /proc (e.g. /proc/self/mem) > when / or /proc were (to be) mounted. (CVE-2019-12594 by Alexandre > Bartel) > Several other fixes for out of bounds access and buffer overflows. > Some fixes to the OpenGL rendering. > > > The game compatibility should be identical to 0.74 and 0.74-2. > It's recommended to use config -securemode when dealing with > untrusted files. > > > Ideally, 0.75 should have been released by now, but some bugs took a > lot longer than expected. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-7165 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7165 [1] https://security-tracker.debian.org/tracker/CVE-2019-12594 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12594 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: dosbox Source-Version: 0.74-2-3+deb10u1 We believe that the bug you reported is fixed in the latest version of dosbox, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 931...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stephen Kitt <sk...@debian.org> (supplier of updated dosbox package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 08 Jul 2019 09:15:40 +0200 Source: dosbox Architecture: source Version: 0.74-2-3+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Stephen Kitt <sk...@debian.org> Changed-By: Stephen Kitt <sk...@debian.org> Closes: 931222 Changes: dosbox (0.74-2-3+deb10u1) buster-security; urgency=medium . * Apply upstream fixes for two security issues: - CVE-2019-7165: long lines in batch files would overflow the parsing buffer; - CVE-2019-12594: programs running inside DOSBox could access /proc. along with a number of buffer overrun fixes. Closes: #931222. Checksums-Sha1: 92683c016011e4df152f6f2e6d3fcde3fc81bb38 2006 dosbox_0.74-2-3+deb10u1.dsc 3008694ef998853257c6a4cb5374229e157ceaf3 1324059 dosbox_0.74-2.orig.tar.gz cd12a4b35f2ff562c05f8bb3e2aa13a65bcf2782 94724 dosbox_0.74-2-3+deb10u1.debian.tar.xz 3a3f656625a75079cfb0ae48bc0722f60d7d8b9b 10379 dosbox_0.74-2-3+deb10u1_source.buildinfo Checksums-Sha256: 4f312a2292a6f355f0a344dff0f406f76c461e53d96f157a976f3563b1ad735b 2006 dosbox_0.74-2-3+deb10u1.dsc 7077303595bedd7cd0bb94227fa9a6b5609e7c90a3e6523af11bc4afcb0a57cf 1324059 dosbox_0.74-2.orig.tar.gz fe06d5f9dac6abdb25bc71f57b03c6a6d07ca15dab64016d449c23bacc428a00 94724 dosbox_0.74-2-3+deb10u1.debian.tar.xz 94cdee3808b72726a605c5348a74ef40385408af8da794f7df1530ccebe60327 10379 dosbox_0.74-2-3+deb10u1_source.buildinfo Files: 2458c9d99b4402184391a7b7e6bd1efe 2006 otherosfs optional dosbox_0.74-2-3+deb10u1.dsc 7110ee24a45a2b4951ad52eb1a3722be 1324059 otherosfs optional dosbox_0.74-2.orig.tar.gz 62fa5eb5d7a28f48d19751082936c8fc 94724 otherosfs optional dosbox_0.74-2-3+deb10u1.debian.tar.xz 7f40fef0c10da2128b462c1cad8dc0cd 10379 otherosfs optional dosbox_0.74-2-3+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAl0jrCQACgkQgNMC9Yht g5yIPQ//fqflx1Ld+M9ImWTacLolf2ITyouBjKmb5EvBvZ0Gd1jFQDV2n7Yx3wAS 7BmUebNK1Uv2WFf47wuZ4FCm7KyahRIvl+d29aZ3PBf2++wtA4fpHWMf+x4HDWAF JWL5s8H5LvBC2fZbQl1F0e6wbE2kv9njloIWnqil+R+X7MBRcRAHoZAyVFYD2c2v cfOjIjz0GeroWp11kN3RUOGQn+eW6v49QdpUbL7mts42Hia0tLzViebOfMTYhTlt T/V2V/FH0G82wDDV/dhyb6lvM0Y8Z1XGwerSXW7Tc1tR3/fDzqcb0DANhkHcmPRH 6zQoxISpHrVbWBH2hDG8ArACUNriglKN3FubYAaCcapeRHFofRAGZk9NPd31x07Y tc2XNEftRoq/6lpqGGx3FVeWD7lV2dTr6C6hQq3ehySsuaPvY+VTtYypcH0VO+lu 5Uin1EDlAOShbJkxg9S65owe+z7sTBRQFECbDozfxMzb1iIjjtjqJ2M3cpjxSS44 1rXxtJQnrLsjfjQnT3YqKBKMUhLeQUYB1yZIwMIibPQ01dRlZB76lRoYbuTptnSL +hgv3BqjBmd/cJq+FO0elaYkyv6YsulKurU4L5adgryBbWYdsxJzsgCnki0LTQYj Bx4y2+SgtiYceTLIJjPb7k9PzGkphX22R3Xxxh6qIBfBXvPBx8Q= =WNmz -----END PGP SIGNATURE-----
--- End Message ---
