[qubes-devel] XSAs released on 2023-10-10

2023-10-10 Thread Andrew David Wong 
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-442](https://xenbits.xen.org/xsa/advisory-442.html)
  - Please see [QSB-095](https://www.qubes-os.org/news/2023/10/10/qsb-095/) for 
details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-440](https://xenbits.xen.org/xsa/advisory-440.html)
  - Denial of service (DoS) only
- [XSA-441](https://xenbits.xen.org/xsa/advisory-441.html)
  - Denial of service (DoS) only
- [XSA-443](https://xenbits.xen.org/xsa/advisory-443.html)
  - Qubes OS does not use pygrub.
- [XSA-444](https://xenbits.xen.org/xsa/advisory-444.html)
  - Denial of service (DoS) only

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/10/10/xsas-released-on-2023-10-10/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/7cdb04e5-735c-4eb9-bdf5-9f77b48d1127%40qubes-os.org.

[qubes-devel] QSB-095: Missing IOMMU TLB flushing on x86 AMD systems

2023-10-10 Thread Andrew David Wong 
Dear Qubes Community,

We have published [Qubes Security Bulletin 095: Missing IOMMU TLB flushing on 
x86 AMD 
systems](https://github.com/QubesOS/qubes-secpack/blob/main/QSBs/qsb-095-2023.txt).
 The text of this QSB and its accompanying cryptographic signatures are 
reproduced below. For an explanation of this announcement and instructions for 
authenticating this QSB, please see the end of this announcement.

## Qubes Security Bulletin 095

```

 ---===[ Qubes Security Bulletin 095 ]===---

  2023-10-10

Missing IOMMU TLB flushing on x86 AMD systems

User action


Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is required in
response to this QSB.

Summary


On 2023-10-10, the Xen Project published XSA-442, "x86/AMD: missing
IOMMU TLB flushing" [3]:

| The caching invalidation guidelines from the AMD-Vi specification (48882—Rev
| 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction
| (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU
| TLB is not flushed.
|
| Such stale DMA mappings can point to memory ranges not owned by the guest,
| thus allowing access to unindented memory regions.

Impact
---

On affected systems, an attacker who compromises a qube with access to a PCI
device could attempt to exploit this vulnerability in order to escalate the
attacker's privileges, perform a denial-of-service (DoS) attack against the
host, and leak information. In the default Qubes OS configuration, the qubes
that have access to PCI devices are sys-net and sys-usb.

Affected systems
-

Only x86 AMD systems are vulnerable.

Patching
-

The following packages contain security updates that address the
vulnerabilities described in this bulletin:

  For Qubes 4.1, in dom0:
  - Xen packages, version 4.14.6-3

  For Qubes 4.2, in dom0:
  - Xen packages, version 4.17.2-3

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.

Credits


See the original Xen Security Advisory.

References
---

[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-442.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

*Source*: 


## [Marek 
Marczykowski-Górecki](https://www.qubes-os.org/team/#marek-marczykowski-górecki)'s
 PGP signature

```
-BEGIN PGP SIGNATURE-

iQIzBAABCAAdFiEELRdx/k12ftx2sIn61lWk8hgw4GoFAmUlOMwACgkQ1lWk8hgw
4GoyoxAAlgmOduZt8/CYSBEO0HaXgP7NmDx+8qYs6RE6Vk3b9FvTyGrNMowT7I4a
Sjr2SDNgf/a97dzMnEL3uAmAt2OGn1dKOKdlPVFmkwz9Pu4/MPFl153n4p7FwLEq
Iy+Y/4Habps/iZ+rzEnIXTwjFnL6H38i5GnkV0DmEtVU3lljLWv/B8eFsDZzuK52
FldpGe2B6Ks21dG76zTxffqAX4tEmHSIO7x4Vjk1RWxum4pEWTEvtfD1Olc3yv4C
qF0A5B7PxMs4CumZW2P+/xS4uEZW4IGZ9o8Nhqj35tIkSV8tmeyRAL3hRgcHxc5s
5bJyg+wAvYztW6aUTbShpzag/nu/kVWFjbgJYTZyw016vhvkWjLa3OiQxkufxp+X
3jK4rBn7RxBLBtOlEWZdy7tMC8bSNUNG5p8MN1uiWOH83+XgpObv4IJwiF0W2sEb
BOe0T+Nsny3LoMtdwP5fxTdZijyE4HX9nCRpJmX+IuD2+3OAiio0BAEoV/e/6d/z
sFcdAugJs8xmiFUkNwKmFpIGcGgievffp3IRukMh6YsKGYb4iA3LrL1IEtcy+eaR
tILQHOLL2wmH1Vb35PgHmliE9ApWqh5DoziYejQ1gW/Ql2IEtTx+zNeBWbgGS+e9
D0m0aN+lXsC/a0/arEYzuCnK+1t6tBk65qsUy/K4n/uXzJYEiVk=
=NYhK
-END PGP SIGNATURE-
```

*Source*: 


## [Simon Gaiser (aka 
HW42)](https://www.qubes-os.org/team/#simon-gaiser-aka-hw42)'s PGP signature

```
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEE6hjn8EDEHdrv6aoPSsGN4REuFJAFAmUlM3cACgkQSsGN4REu
FJB8SA/+M1B96X+3C+2QBJW9q8h3cLuMVfMjlD9lRqESi/AXduNZN/o29WISw85z
6S+gTOqdVPf6ggfc+r4XxY3h1KICw/G9V8WwV8FPVqJVXjapnkTtqJ4drMu8v2vb
Di9G200bAngslFdxskAYQ73ZUTIyw7f6ljUHBH16c9dB43RvfqBAN6XWb/M745Am
vS005JvermS7TXMN6BemcIhKrMP+QLeMf+kVYJt18LGKHJX3TmY6Z9On7csyRgxL
8xEEYPBjjthpyF0Wy/h+9XTeQKhdaMHX7h+h3A8FAK4ZlfdFknrdJ6or6xjHyqv7
rfRdQMtBXGb6YQRJlWjRnKd1BnwCHXg6Y487M1Keed8OX7g6yVfEjlbo30vCFRoo
UK8/DMukhA+f+1VDyLMpAIvCjNwaVQjFrTC1LVDf6YskqgJROKHVFv9Ed+IJinQf
T8Bb8xk82fh6AgsFZQ4+Vl67BLFs5JGLeEg5xJtcIhiuV+AZs+6F21YCfwsuUWuW
fC0QtEctzET+BhMr5SyrqicMpSw1JRnfCZjjaDed/noEliwG2cS6VarbOCTqcXGH
5HJaYB7b9lYDG2DICBAMN9vukN0O05JmqtLULVhmai3gH3cA3OFSTbbKUqGvNXde
BS9Exs7T1osXcarI+ZAb5xxJanhrRwX4bYffAJd45vQwKekf/+w=
=Sojp
-END PGP SIGNATURE-
```

*Source*: 


##