Please clarify fixing commits for recently fixed CVE

An Open Source DOS emulator to run old DOS games

Brought to you by: harekiet, qbix79

#508 Please clarify fixing commits for recently fixed CVE

Milestone: 0.74

Status: open

Owner: nobody

Labels: None

Priority: 1

Updated: 2019-07-06

Created: 2019-06-29

Creator: Markus Koschany

Private: No

Hello,

I am currently investigating which commits did exactly fix CVE-2019-12594 and CVE-2019-7165. I believe CVE-2019-12594 was fixed by

https://sourceforge.net/p/dosbox/code-0/4246/

but I can't find the other commit. Could you point me in the right direction please?

Discussion

Qbix - 2019-06-29

4246 is for the /proc/self/mem thing.

The batch file stuff is in 4236 (the shell_batch.cpp changes), with as cve related part: a backport of 3925. Which at the time was just a cleanup of the code while fixing a specific game. (unrelated to the cve). (4236 is a bundle of 3 different commits, if you are only interested in the cve, you only want 3925)

Please bear in mind that most changes in 74-3 have some improvement to bufferhandling/uninitialised memory/compilation, so it might make sense to use just the full release, but that has nothing to do with your question.

I hope this helps.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Markus Koschany - 2019-07-06

Thanks for your help. I agree that it makes sense to package the latest version for Debian unstable. However Debian also maintains different stable releases and we prefer to backport targeted fixes for security vulnerabilites to keep the changes minimal and not to risk regressions. Backporting worked very well, the commits applied almost without fuzz.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.