Comment 4 for bug 1313194

Thanks for the additional details; I do not think this would be a security problem but rather just regular bugs -- the configuration file is similar to typing command line arguments at the shell, since they can specify to write to any file the user has access to, or pass-through PCI devices from the host to guests. It would not be appropriate to use a supplied configuration file without inspecting it first.

I've filed a report with upstream bochs bug tracker: https://sourceforge.net/p/bochs/bugs/1347/

Thanks