[qubes-users] XSAs released on 2022-04-05

[Andrew David Wong]

Dear Qubes Community,

The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.


XSAs that affect the security of Qubes OS (user action required)


The following XSAs *do affect* the security of Qubes OS:

- XSA-399
- XSA-400

Please see *QSB-079* for the actions users must take in order to
protect themselves, as well as further details about these XSAs:




XSAs that do not affect the security of Qubes OS (no user action required)
--

The following XSAs *do not affect* the security of Qubes OS, and no user 
action is necessary:


- XSA-397 (denial of service only)


Related links
-

- Xen XSA list: 
- Qubes XSA tracker: 
- Qubes security pack (qubes-secpack): 


- Qubes security bulletins (QSBs): 


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/04/05/xsas-released-on-2022-04-05/

--
Andrew David Wong
Community Manager
The Qubes OS Project
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/07a2f016-7584-51e0-14d3-2c58f42fe909%40qubes-os.org.

[qubes-users] QSB-079: Two IOMMU-related Xen issues (XSA-399, XSA-400)

[Andrew David Wong]

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 079: Two IOMMU-
related Xen issues (XSA-399, XSA-400). The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).

View QSB-079 in the qubes-secpack:



In addition, you may wish to:

- Get the qubes-secpack: 
- View all past QSBs: 
- View the XSA Tracker: 

```

 ---===[ Qubes Security Bulletin 079 ]===---

 2022-04-05

Two IOMMU-related Xen issues (XSA-399, XSA-400)


User action required
-

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0, in dom0:
  - Xen packages, version 4.8.5-39

  For Qubes 4.1, in dom0:
  - Xen packages, version 4.14.4-4

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Summary


The following security advisories were published on 2022-04-05:

XSA-399 [3] "race in VT-d domain ID cleanup":

| Xen domain IDs are up to 15 bits wide.  VT-d hardware may allow for only
| less than 15 bits to hold a domain ID associating a physical device with
| a particular domain.  Therefore internally Xen domain IDs are mapped to
| the smaller value range.  The cleaning up of the housekeeping structures
| has a race, allowing for VT-d domain IDs to be leaked and flushes to be
| bypassed.


XSA-400 [4] "IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling
issues":

| Certain PCI devices in a system might be assigned Reserved Memory
| Regions (specified via Reserved Memory Region Reporting, "RMRR") for
| Intel VT-d or Unity Mapping ranges for AMD-Vi.  These are typically used
| for platform tasks such as legacy USB emulation.
|
| Since the precise purpose of these regions is unknown, once a device
| associated with such a region is active, the mappings of these regions
| need to remain continuouly accessible by the device.  This requirement
| has been violated.
|
| Subsequent DMA or interrupts from the device may have unpredictable
| behaviour, ranging from IOMMU faults to memory corruption.


Impact
---

The precise impact of XSA-399 and XSA-400 is system-specific but
would typically be a denial of service (DoS) affecting the entire
host. Privilege escalation and information leaks cannot be ruled out.

XSA-399 affects only Qubes OS 4.1. Qubes OS 4.0 is not affected due to
the version of Xen it uses. This issue affects only qubes with assigned
PCI devices, which are sys-net and sys-usb in the default Qubes OS
configuration.

XSA-400 affects both Qubes OS 4.0 and 4.1. It affects only qubes with
assigned PCI devices that have an associated RMRR or unity map. This
usually applies to USB controllers, which are assigned to the sys-usb
qube in the default Qubes OS configuration.


Credits


See the original Xen Security Advisory.


References
---

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-399.html
[4] https://xenbits.xen.org/xsa/advisory-400.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/04/05/qsb-079/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8d619029-30c1-02bd-dffd-3424bc41d894%40qubes-os.org.

Re: [qubes-users] Strategy Question: salt & installation of 3rd party software from web scraped URL - impossible in no-web templates

[David Hobach]

A related question: howto transfer a binary file (like the citrix
tarball) to dom0 for integration into the salt setup?

the `qvm-run` and `cat`-based version in the docs does not work in this
case.


Just pack it into one *.tar.gz and then use the qvm-run cat commands to 
transfer it from the source VM to dom0. It works with any file, just not with 
directories - so you need to pack those.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6dd27483-358f-3c64-3bfc-1f85f2a07382%40hackingthe.net.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [qubes-users] Strategy Question: salt & installation of 3rd party software from web scraped URL - impossible in no-web templates

['Johannes Graumann' via qubes-users]

On Tue, 2022-04-05 at 19:39 +0200, 'Johannes Graumann' via qubes-users
wrote:
> On Tue, 2022-04-05 at 19:37 +0200, David Hobach wrote:
> > And the last time I tried Citrix on Qubes, I just installed it to
> > the
> > home directory (there was a tarball for download IIRC).
> This is really exciting ... will try this ... the rpm puts it into
> `/opt` ... would remove the need for a dedicated template.
> 
> Thanks!
> 

A related question: howto transfer a binary file (like the citrix
tarball) to dom0 for integration into the salt setup?

the `qvm-run` and `cat`-based version in the docs does not work in this
case.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/71aab136097a3ff78d7af4752048c3aee2189826.camel%40graumannschaft.org.

Re: [qubes-users] Strategy Question: salt & installation of 3rd party software from web scraped URL - impossible in no-web templates

['Johannes Graumann' via qubes-users]

On Tue, 2022-04-05 at 19:37 +0200, David Hobach wrote:
> And the last time I tried Citrix on Qubes, I just installed it to the
> home directory (there was a tarball for download IIRC).
This is really exciting ... will try this ... the rpm puts it into
`/opt` ... would remove the need for a dedicated template.

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae33da48ab6b07da4b4a68c3583704f2b13a3c76.camel%40graumannschaft.org.

Re: [qubes-users] Strategy Question: salt & installation of 3rd party software from web scraped URL - impossible in no-web templates

[David Hobach]

And the last time I tried Citrix on Qubes, I just installed it to the home 
directory (there was a tarball for download IIRC).

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f8568943-5684-6278-13e3-0bca97cdc7b8%40hackingthe.net.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [qubes-users] Strategy Question: salt & installation of 3rd party software from web scraped URL - impossible in no-web templates

[David Hobach]

How would you go about this? Just manual downloading the rpm and
installing it into the template does the trick, but I'd vastly prefer a
salty solution.


I tend to download it once, store it with my salt stuff and install it via salt.
This also avoids untrusted download issues / limits them to the first download 
only.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/50998134-2afc-6afe-da43-7b29c47f57f1%40hackingthe.net.


smime.p7s
Description: S/MIME Cryptographic Signature

[qubes-users] Strategy Question: salt & installation of 3rd party software from web scraped URL - impossible in no-web templates

['Johannes Graumann' via qubes-users]

Hi,

I'm maintaining my setup using salt.

For work I need to use proprietary software (citrix client) - a picture
perfect use case for a dedicated template/app vm combo (sadly there
isn't a flatpak, which via user space-installation would allow me to
bypass the dedicated template).

Citrix now is playing nasty:
https://www.citrix.com/de-de/downloads/workspace-app/linux/workspace-app-for-linux-latest.html
has *.debs, *.rpms and tarballs ready for download, but some java
script magic adds individualized tokens to the download links, to
prevent straight linking to the resources.

Some nice person has figured out how to circumvent that using bash
scripting in the AUR of ArchLinux
(https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=icaclient) and
I used that to build a shell script that will deliver a currently valid
download link, which I was thinking to use via `cmd.script` in salt.

However, I now realize that a proper Qubes template does not have
standard internet access even when being updated, so that route is
barred.

How would you go about this? Just manual downloading the rpm and
installing it into the template does the trick, but I'd vastly prefer a
salty solution.

Thanks for reading this far and thank you for any hints.

Joh 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c26f3d6fc7c11cf84606d8d8a3d6c0bb2f98ea2.camel%40graumannschaft.org.

[qubes-users] Where to configure target dir of `qvm-move`/`qvm-copy` (`/home/user/QubesIncomming`)?

['Johannes Graumann' via qubes-users]

See subject line - I'd like to remap the `/home/user` bit to `/tmp` to
enforce cleanup ...

Thanks for any pointers.

Joh

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8187b18a7546f77083fa3ff0f1938d872288c169.camel%40graumannschaft.org.