Your message dated Tue, 16 Jul 2019 21:32:32 +0000 with message-id <e1hnv3o-000b6x...@fasolo.debian.org> and subject line Bug#931222: fixed in dosbox 0.74-4.2+deb9u2 has caused the Debian Bug report #931222, regarding dosbox: CVE-2019-7165 CVE-2019-12594 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 931222: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931222 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: dosbox Version: 0.74-2-3 Severity: important Tags: security upstream Control: found -1 0.74-4.2+deb9u1 Control: found -1 0.74-4 Hi, The following vulnerabilities were published for dosbox. > From https://www.dosbox.com/news.php?show_news=1 > > DOSBox 0.74-3 has been released! > > A security release for DOSBox 0.74: > > Fixed that a very long line inside a bat file would overflow the > parsing buffer. (CVE-2019-7165 by Alexandre Bartel) > Added a basic permission system so that a program running inside > DOSBox can't access the contents of /proc (e.g. /proc/self/mem) > when / or /proc were (to be) mounted. (CVE-2019-12594 by Alexandre > Bartel) > Several other fixes for out of bounds access and buffer overflows. > Some fixes to the OpenGL rendering. > > > The game compatibility should be identical to 0.74 and 0.74-2. > It's recommended to use config -securemode when dealing with > untrusted files. > > > Ideally, 0.75 should have been released by now, but some bugs took a > lot longer than expected. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-7165 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7165 [1] https://security-tracker.debian.org/tracker/CVE-2019-12594 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12594 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: dosbox Source-Version: 0.74-4.2+deb9u2 We believe that the bug you reported is fixed in the latest version of dosbox, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 931...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stephen Kitt <sk...@debian.org> (supplier of updated dosbox package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 08 Jul 2019 08:53:37 +0200 Source: dosbox Architecture: source Version: 0.74-4.2+deb9u2 Distribution: stretch-security Urgency: medium Maintainer: Jan Dittberner <ja...@debian.org> Changed-By: Stephen Kitt <sk...@debian.org> Closes: 931222 Changes: dosbox (0.74-4.2+deb9u2) stretch-security; urgency=medium . * Apply upstream fixes for two security issues: - CVE-2019-7165: long lines in batch files would overflow the parsing buffer; - CVE-2019-12594: programs running inside DOSBox could access /proc. Closes: #931222. Checksums-Sha1: 78a77203947225bcf2d88e1917b242d45af69807 1941 dosbox_0.74-4.2+deb9u2.dsc 2d99f0013350efb29b769ff19ddc8e4d86f4e77e 1265711 dosbox_0.74.orig.tar.gz fec2d24850ad873ceda2bad68d67a2eac4e12a93 95524 dosbox_0.74-4.2+deb9u2.debian.tar.xz 053c0d45fee3c8fd703dca28eafc2d9ea841f39b 10360 dosbox_0.74-4.2+deb9u2_source.buildinfo Checksums-Sha256: 1fc34248fcb56f5423b747e732e7d743c9b85c5fca85c4e409e5d6a96335d4ec 1941 dosbox_0.74-4.2+deb9u2.dsc 13f74916e2d4002bad1978e55727f302ff6df3d9be2f9b0e271501bd0a938e05 1265711 dosbox_0.74.orig.tar.gz 9cab0ee4ed1d5e1ff8e31bfc569d20382d3fed0dc75bbfaa4a0a5695015ad34b 95524 dosbox_0.74-4.2+deb9u2.debian.tar.xz b11d772ed090cfbd6d5d7dffd40f584411d80d02ee1273de09ec8148564e5ef1 10360 dosbox_0.74-4.2+deb9u2_source.buildinfo Files: 95497978547768448ca53d2bec78c5a7 1941 otherosfs optional dosbox_0.74-4.2+deb9u2.dsc b9b240fa87104421962d14eee71351e8 1265711 otherosfs optional dosbox_0.74.orig.tar.gz e487cc6eba6a0a84a5c6880a634742f3 95524 otherosfs optional dosbox_0.74-4.2+deb9u2.debian.tar.xz 1f5dfc04c8e36c33b4cd60a2f12e32ab 10360 otherosfs optional dosbox_0.74-4.2+deb9u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAl0jLUQACgkQgNMC9Yht g5y0Ng//RH3pQOwIzue6ItLP6FBjGILOtzdEm5DLjSx46u/2sZ0v6fP9zXdIGmZh ixZRWNLJV7lgFXdHX0vJNk3XG5WYjS4/FI0ThHbCdA5d9+XlvzqWLKD8fijuP7H9 U/T37Q9EpqZ9WP2Ej1R4bWq3NV0vPLUi7D356jR7ViQNSKYX1FaXNcr1ldfYhB1A rgjLOup4JI1XhcKW1LMTX93Ot8soQY4+FjV2Z0bfl7IDl1av3RYgtbdiKtjIk9u3 yhYSCT3zfSFdYUwUzvTVSzYcEuhQPYuEq1qFbSLJ6kZSjydhbk60GxHOch92w7Ue l47kPsVkjrAmcj/a82MCdkWh6D+nmfeIjRxqdC1GONQBWVY0s3zJHpH7kBjQG95I TK67fTFQHFkuPkmCq1ng7PWmJ3T77sYyrUn3JuGrRMalONgcv2/KaA0o/YFKOjZV yVNPvj/Dmmtbz/YgHgdxapnBqMmPYQ9IZl1Win7fJNp/6hbdmo9h5AxcHZ+QWTBL IfDZ1DJJ0ByrGEfk09tGMyKMTQbtCUJq7TvaTQYFycAe33ydXQ0JdScWidComZ7X 9f4JQ3Hymb8MAYNlALgclWU46UMXSOLHV5HM81ptBAqsU/AWkJuhP/n0H0A/b+Bo z5dAnMJ9iVjE46Q9mAQ8MB4C7Hhjh8wq52DzGsqCadZNr1sVOWo= =ppOe -----END PGP SIGNATURE-----
--- End Message ---
