On 04/13/2017 09:33 PM, cooloutac wrote: > On Thursday, April 13, 2017 at 11:26:07 PM UTC-4, cooloutac wrote: >> So probably the kernels are not actually vulnerable, They fixed it a year >> ago with patches, and with Qubes you assume this sort of priv escl thing >> regardless which is why they don't even bother with sudo. > Actually when it comes to redhat they claim the code was never there to > exploit. But redhat might not apply to fedora kernel so I'm kind of curious > myself now. > For those who are concerned, this is what is currently in the Qubes repository for dom0:
current: kernel-4.4.38, kernel-qubes-vm-4.4.38 current-testing: kernel-4.4.55, kernel-qubes-vm-4.4.55 >From what I can tell, the Qubes Kernel is built from the stock kernel source, so if this bug was fixed months ago, you could probably install either and be fine (assuming you're running R3.2). If you're really paranoid, you can build the latest 4.4 kernel (as of now, it's 4.4.61) yourself and install via rpm with very little modification using the existing Qubes build scripts. Assuming you have a Fedora 23 VM with git, gcc and make installed (maybe a few other things; I'm not sure), run: git clone https://github.com/QubesOS/qubes-linux-kernel.git - Switch to the 4.4 branch: git checkout stable-4.4 - Edit the 'version' file and replace 4.4.55 with 4.4.61 - Then compile: make rpms And then copy the kernel and kernel-qubes-vm rpms to dom0 and install them there using rpm or dnf. I just did it myself with the 4.4 branch and it builds fine. I haven't installed it though since I run 4.10 (which is a bit more involved since some of the patches need to be migrated; I've been applying them by hand using diff -Nuar so I just need to figure out how to create a patch file *properly* that doesn't require manual intervention, and then I'll probably throw up my work on GitHub so others can use it for both 4.9 and 4.10; this GitHub stuff and figuring out how to patch things isn't my forte yet). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ocphg4%24ag4%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
