Response from our finder: I’ve saw that they’re replied to this bug and deemed it not a security issue. I don’t agree with that, as their reason is they’re saying bxrc is a config file. Of course it is, but it’s part of the packaging for a virtual machine.
Example: If I packaged up a test.img with a malicious test.bxrc, got an user to download my TestOS package and run it in Bochs, the target could be exploited. I don’t see much difference between a VMware VMX file and a Bochs BXRC file, both are vm config files and if these issues were present VMware’s parsing of a VMX file, they’d treat it (as they have in the past) as a serious security issue: http://osvdb.com/search/search?search%5Bvuln_title%5D=vmware+vmx&search%5Btext_type%5D=alltext&search%5Brefid%5D=&search%5Breferencetypes%5D=&kthx=search -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1313194 Title: Bochs Multiple Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bochs/+bug/1313194/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
