Re: [qubes-users] QSB #42: Linux netback driver OOB access in hash handling (XSA-270)

2018-08-26 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2018-08-26 07:12, David Hobach wrote:
> On 08/14/2018 09:12 PM, Andrew David Wong wrote:
>> Patching
>> =
>>
>> The Xen Project has provided patches to fix this issue.
>>
>> The specific packages that resolve the problems discussed in this
>> bulletin are as follows:
> 
> [..]
> 
>>For Qubes 4.0:
>>- kernel packages, version 4.14.57-2
>>- kernel-latest packages, version 4.17.9-2
> 
> [..]
> 
>>For updates from the stable repository (not immediately available):
>>$ sudo qubes-dom0-update
> 
> Were these pushed to stable yet? Because I don't see them, but maybe my
> update is broken...
> 
> If not, when is that likely to happen?
> 
> Thanks for the good description though!
> 
> Best Regards
> David
> 

The answers to your questions are in a portion of the announcement that
you omitted:

>> These packages will migrate from the security-testing repository to
>> the current (stable) repository over the next two weeks after being
>> tested by the community.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAluC8HMACgkQ203TvDlQ
MDDXuRAAxf9aHUXR3j9Fv3mSa09+DGnSOctn3KO2tWVTGeZFxgiGgGNb1+KU738/
AD8/t/0x0j3D/gW35ZOlgt9bw+WNkYALrtKbOr4ZNB/oe6jhxXDIWNpfcDs6luXb
VxURNi6mkCMbEHcqbPCLsAwHYVa9iEwJSoTYLn311sfI2rDyk84UC/JD1ZOnjkRs
/wJM7J8RrvCIG4o4XgwCfRwOOiOpjCVdWbkGpAJW4aUe9jJyjxbjYS+jfWf9Cc90
pClRqHrjerb2tkswZiJYg3RKbe5bi6jS7AZQ0u9dZyqKvfA8d5baswD+l6ZDQbRS
/DggQalnSAhfie6xRI/NJGdHM9SOypuxMBdloeGHD3HosQ9JhPbpdSYGsXz7s6AV
ZFc5c4DMe/SKFQQaKZVlOAAmxO0bQ+LGgIzDAxwmYPNqYvq7/LH4IDaYn7gKp91W
aUz1XyvPCuNLDcER4DaZJvcshCRRpWRPfJ0TzLd91ewfVWiNhYx+075af3ZyCcZI
EQpn0FxhTQOLN05lxjjYOVlP9FUBQZ0OIrD0XNE/y1wbGNpEFKuxL8rgeUNovamv
4/KU9JXANCR5XmhlqAM8nF6E2PD30hScWdK6GXQZ7Gy23YNO3GevvbB4PYvQPILo
pXrWKrnr/nMStRZl+qXGecAEvtqKCEFeBLP6s2DeLKsDLMa9fXU=
=rEbq
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4d6b0d62-842a-c77c-708c-ba9a3cc05936%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] QSB #42: Linux netback driver OOB access in hash handling (XSA-270)

2018-08-26 Thread David Hobach 

On 08/14/2018 09:12 PM, Andrew David Wong wrote:

Patching
=

The Xen Project has provided patches to fix this issue.

The specific packages that resolve the problems discussed in this
bulletin are as follows:


[..]


   For Qubes 4.0:
   - kernel packages, version 4.14.57-2
   - kernel-latest packages, version 4.17.9-2


[..]


   For updates from the stable repository (not immediately available):
   $ sudo qubes-dom0-update


Were these pushed to stable yet? Because I don't see them, but maybe my 
update is broken...


If not, when is that likely to happen?

Thanks for the good description though!

Best Regards
David

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/129c3ea8-261a-84ce-169d-980005c67d81%40hackingthe.net.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

[qubes-users] QSB #42: Linux netback driver OOB access in hash handling (XSA-270)

2018-08-14 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #42: Linux netback
driver OOB access in hash handling (XSA-270). The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).

View QSB #42 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-042-2018.txt

Learn about the qubes-secpack, including how to obtain, verify, and read
it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View XSA-270 in the XSA Tracker:

https://www.qubes-os.org/security/xsa/#270

```
 ---===[ Qubes Security Bulletin #42 ]===---

 2018-08-14


  Linux netback driver OOB access in hash handling (XSA-270)

Summary


On 2018-08-14, the Xen Security Team published Xen Security Advisory
270 (XSA-270) [1] with the following description:

| Linux's netback driver allows frontends to control mapping of requests
| to request queues.  When processing a request to set or change this
| mapping, some input validation was missing or flawed.
| | A malicious or buggy frontend may cause the (usually privileged)
| backend to make out of bounds memory accesses, potentially resulting
| in one or more of privilege escalation, Denial of Service (DoS), or
| information leaks.

Impact for Qubes
=

The bug affects only the network backend driver, which means that any
qube with access to a network can attack the qube that provides it with
access to that network. For example:

 - In a default configuration, any network-connected AppVM can attack
   sys-firewall, which can in turn attack sys-net.

 - Any qube connected to a VPN Gateway [2] can attack the VPN Gateway
   and potentially steal VPN credentials.

 - Any Whonix Workstation can attack the Whonix Gateway to which it is
   connected, potentially compromising anonymity.

It is important to note, however, that dom0 and network-disconnected
qubes are not affected.

Patching
=

The Xen Project has provided patches to fix this issue.

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes 3.2:
  - kernel packages, version 4.14.57-2
  - kernel-latest packages, version 4.17.9-2

  For Qubes 4.0:
  - kernel packages, version 4.14.57-2
  - kernel-latest packages, version 4.17.9-2

The kernel-latest packages are not installed by default. If you do not
already have them installed, then it is not necessary to install them in
order to fix this issue. However, if you already have them installed,
then we recommend that you update them to the version containing the fix
for this issue.

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A restart of all network-providing qubes will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Linux binaries.

Users who are using in-VM kernels [3] for any of their VMs should note
that installing the packages listed above will not update their in-VM
kernels. We recommend that these users install updates for their in-VM
kernels when the appropriate distributions provide kernel updates that
fix this issue.

Credits


See the original Xen Security Advisory.

References
===

[1] https://xenbits.xen.org/xsa/advisory-270.html
[2] https://www.qubes-os.org/doc/vpn/
[3] 
https://www.qubes-os.org/doc/managing-vm-kernel/#using-kernel-installed-in-the-vm-r40

- --
The Qubes Security Team
https://www.qubes-os.org/security/
```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2018/08/14/qsb-42/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAltzKaMACgkQ203TvDlQ
MDCt7hAAgGsGZsatH46WLt7x8KybTdUfxnc3U43Ir3SdPm31DrMrZ4lp7zA4lg9p
viVFt0UhGBhfeow1o9fnGlcRBI30INu+nSJ8oNvmBv9qM24i3xLrgI2HoCfHnnw6
xNA/fsT6cCQ2PzwbbhRxObyIlttsZOMGsQKGh6w6wzbSXMZyeDmxzwrFr6wUymsC
m7pCoSlhrPHMYURPWa3dwWILQFz52EVmp3Swu+UAD3JrM0xfbO2MqjJDUfkq+5Ox
RcrQ9nq4KCVDlY2u2WnwfCa5FGZv3H8FpRhAdEEtMxDbRpPEpNS9xv//9vb5zrgZ
B75Z49u8uPz0EAcbraocWL28ABB1jJmTROBsa9VDk4VXYlThpoMJlPtKoQv22TyS
tjGmtnLLqowfcMz6N1wxLiQ3+ShJgXTnt5xKv819YMJAQkt2ObL87KnWQKQHOcWb
0TgBFX8MASTvnH8YQBDeeY0N7Lr3FOQwOdD9XhbDSseAYoFOhfXwp+EKIaf8QVqG