Re: [qubes-users] HCL - Purism Librem 14

[Sven Semmler]

Thank you MrChromebox for all three HCL reports!

We are currently changing how the reports make it on the website, but they will 
be pushed very soon!

--
 public key: https://www.svensemmler.org/2A632C537D744BC7.asc
fingerprint: DA59 75C9 ABC4 0C83 3B2F 620B 2A63 2C53 7D74 4BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f21f21c-d90a-4da4-b89f-541b01fbfea2%40SvenSemmler.org.


OpenPGP_signature
Description: OpenPGP digital signature

[qubes-users] QSB-071: Fatal options filtering flaw in Split GPG

[Andrew David Wong]

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 071: Fatal options 
filtering flaw in Split GPG. The text of this QSB is reproduced below. 
This QSB and its accompanying signatures will always be available in the 
Qubes Security Pack (qubes-secpack).


View QSB-071 in the qubes-secpack:



In addition, you may wish to:

- Get the qubes-secpack: 
- View all past QSBs: 

```

 ---===[ Qubes Security Bulletin 071 ]===---

 2021-09-09

  Fatal options filtering flaw in Split GPG


User action required
-

Users must install the following specific packages in order to address the
issues discussed in this bulletin:

  For Qubes 4.0, in templates and standalones:
  - qubes-gpg-split 2.0.53

  For Qubes 4.1, in templates and standalones:
  - qubes-gpg-split 2.0.53

Due to the ease with which this flaw can be exploited, we are immediately
migrating these packages to the current (stable) repository, bypassing the
usual testing period. These packages are to be installed via the Qubes 
Update

tool or its command-line equivalents. [1]


Summary


Split GPG [2] is designed to isolate private keys from the application using
them in order to protect them from being extracted and to allow the user to
retain control over when they are used. This isolation is implemented by
forwarding calls to `gpg` into a backend qube that holds the private 
keys and
allowing only specific `gpg` options. This option filtering mechanism 
rejects
options like `--export-secret-keys` and others that might leak private 
keys to

the frontend qube. Unfortunately, several options were declared incorrectly,
which allowed this filtering mechanism to be bypassed.


Impact
---

An attacker controlling a frontend qube (where `qubes-gpg-client` is 
executed)
can extract an arbitrary file (including a secret key) from the backend 
qube.



Discussion
---

Several `gpg` options were declared incorrectly in Split GPG, which 
resulted in

Split GPG interpreting them differently than `gpg`. If Split GPG interpreted
one option as an argument to another option, Split GPG would allow it, since
option filtering is performed at the level of the options themselves, 
not their
arguments. This would allow options misinterpreted as arguments to 
bypass the

filtering mechanism. Specifically:

- All `--s2k-*` options were declared as not taking arguments when in 
fact they

  do take arguments.
- `--export-ssh-key` was declared as taking an argument when it doesn't take
  one directly; it does change the meanings of positional arguments, 
however.

- `--with-colons` was aliased with `-k`, which differs in its argument
  requirements.
- `--default-recipient`, which takes an argument, was interpreted as
  `--default-recipient-self`, which does not take an argument.
- `--display` was interpreted as `--display-charset`, which resulted in
  `--display` being allowed when it should have been denied.

For our immediate, initial response, we have corrected all of these
inconsistencies and added automated testing to verify that GnuPG and 
Split GPG

both understand the options in the same way.

More generally, we will prioritize finishing Split GPG 2 [3], which does not
rely on option filtering at all. Instead, it uses `gpg-agent`'s protocol to
delegate only secret key processing to the backend qube. In addition to
obviating the need for fragile option filtering, this dramatically 
reduces the

attack surface, as most of the untrusted data processing is done in the
frontend qube and never reaches the backend qube.

Credits


This issue was discovered by Demi Marie Obenour.

References
---

[1] https://www.qubes-os.org/doc/updating-qubes-os/
[2] https://www.qubes-os.org/doc/split-gpg/
[3] https://github.com/QubesOS/qubes-issues/issues/474

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/09/09/qsb-071/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cae04c7d-7167-fdf1-da57-99cb61e00b8c%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature

[qubes-users] QSB-071: Fatal options filtering flaw in Split GPG

[Marek Marczykowski-Górecki]

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 071: Fatal options
filtering flaw in Split GPG. The text of this QSB is reproduced below.
This QSB and its accompanying signatures will always be available in the
Qubes Security Pack (qubes-secpack).

View QSB-071 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-071-2021.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

```

 ---===[ Qubes Security Bulletin 071 ]===---

 2021-09-09

  Fatal options filtering flaw in Split GPG


User action required
-

Users must install the following specific packages in order to address the
issues discussed in this bulletin:

  For Qubes 4.0, in templates and standalones:
  - qubes-gpg-split 2.0.53

  For Qubes 4.1, in templates and standalones:
  - qubes-gpg-split 2.0.53

Due to the ease with which this flaw can be exploited, we are immediately
migrating these packages to the current (stable) repository, bypassing the
usual testing period. These packages are to be installed via the Qubes Update
tool or its command-line equivalents. [1]


Summary


Split GPG [2] is designed to isolate private keys from the application using
them in order to protect them from being extracted and to allow the user to
retain control over when they are used. This isolation is implemented by
forwarding calls to `gpg` into a backend qube that holds the private keys and
allowing only specific `gpg` options. This option filtering mechanism rejects
options like `--export-secret-keys` and others that might leak private keys to
the frontend qube. Unfortunately, several options were declared incorrectly,
which allowed this filtering mechanism to be bypassed.


Impact
---

An attacker controlling a frontend qube (where `qubes-gpg-client` is executed)
can extract an arbitrary file (including a secret key) from the backend qube.


Discussion
---

Several `gpg` options were declared incorrectly in Split GPG, which resulted in
Split GPG interpreting them differently than `gpg`. If Split GPG interpreted
one option as an argument to another option, Split GPG would allow it, since
option filtering is performed at the level of the options themselves, not their
arguments. This would allow options misinterpreted as arguments to bypass the
filtering mechanism. Specifically:

- All `--s2k-*` options were declared as not taking arguments when in fact they
  do take arguments.
- `--export-ssh-key` was declared as taking an argument when it doesn't take
  one directly; it does change the meanings of positional arguments, however.
- `--with-colons` was aliased with `-k`, which differs in its argument
  requirements.
- `--default-recipient`, which takes an argument, was interpreted as
  `--default-recipient-self`, which does not take an argument.
- `--display` was interpreted as `--display-charset`, which resulted in
  `--display` being allowed when it should have been denied.

For our immediate, initial response, we have corrected all of these
inconsistencies and added automated testing to verify that GnuPG and Split GPG
both understand the options in the same way.

More generally, we will prioritize finishing Split GPG 2 [3], which does not
rely on option filtering at all. Instead, it uses `gpg-agent`'s protocol to
delegate only secret key processing to the backend qube. In addition to
obviating the need for fragile option filtering, this dramatically reduces the
attack surface, as most of the untrusted data processing is done in the
frontend qube and never reaches the backend qube.

Credits


This issue was discovered by Demi Marie Obenour.

References
---

[1] https://www.qubes-os.org/doc/updating-qubes-os/
[2] https://www.qubes-os.org/doc/split-gpg/
[3] https://github.com/QubesOS/qubes-issues/issues/474

--
The Qubes Security Team
https://www.qubes-os.org/security/
```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/09/09/qsb-071/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YTqHZEE4pC0MGCr1%40mail-itl.


signature.asc
Description: PGP signature

Re: [qubes-users] qvm-usb is broken in qubes 4 / debian-10

['cubit' via qubes-users]

Sep 8, 2021, 11:12 by vita...@premium-security.com:

> [user@dom0 ~]$ qvm-usb a myvm sys-usb:2-3
> Device attach failed: /usr/lib/qubes/usb-import: 50: 
> /usr/lib/qubes/usb-import: cannot open /sys/devices/platform/vhci_hcd/status: 
> No such fileNo unused port found! VM: "work-term" File: 
> "/usr/lib/qubes/usb-import" Version Control: 
> https://github.com/QubesOS/qubes-app-linux-usb-proxy/blob/master/src/usb-import/usr/lib/qubes/usb-import:
>  81: /usr/lib/qubes/usb-import: cannot create 
> /sys/devices/platform/vhci_hcd/attach: Directory nonexistent
> [user@dom0 ~]$
>
I think you are experiencing this issue

https://github.com/QubesOS/qubes-issues/issues/6868

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/MjBbFM3--3-2%40tutanota.com.

Re: [qubes-users] qvm-usb is broken in qubes 4 / debian-10

[unman]

On Wed, Sep 08, 2021 at 09:00:17PM +0400, Vitali Andrusevich wrote:
> Small update:
> 
> Upgraded Debian Template From Debian-10 to Debian-11.
> It didn't help unfortunately. Problem persists.
> 
> BTW, USB attachment to VM running Fedora-32 Template still works without any
> problems.
> 
> Regards,
> Vit

You don't say if you are using 4.0 or 4.1
I don't see this behaviour in either.
Can you test with a vanilla template (either 10 or 11)? Have you made
any modifications to that template?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YToSe9DFFuQWi/VS%40thirdeyesecurity.org.

Re: [qubes-users] building cubes how to include custom patches

[unman]

On Thu, Sep 02, 2021 at 08:46:38PM +, 'awokd' via qubes-users wrote:
> ludwig...@gmail.com:
> > Hi all,
> > I would like to patch some sources of xen and would like to know how
> > to introduce the patches into the build system.
> 
> There is a patch directory somewhere in the build environment where custom
> Qubes patches get applied to the Xen kernel. It may be inside the chroot
> filesystem, but I don't have a build VM handy to confirm. Run something like
> "sudo find -name *patch*" at the top level of your build machine and I think
> you can find it, then check the make file that applies the patches to add
> your own.

Put with the other patches in vmm-xen, and adjust xen.spec.in

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YToQ3wAxB0H2XJk%2B%40thirdeyesecurity.org.

[qubes-users] Comments on Lenovo ThinkPad P14s Gen 2?

[Lasse Kliemann]

I'm considering to buy a Lenovo ThinkPad P14s Gen 2 with the following 
configuration:

i7-1185G7 CPU
48 GB DDR4 3200 MHz
1 TB SSD, M.2 2280, PCIe, NVMe
UHD (3840 x 2160)
NVIDIA Quadro T500 4 GB GDDR6

Any concerns regarding the use of Qubes OS 4.0.4 on this machine?

Moreover, I can choose between:

Intel Wi-Fi 6E AX210 11AX (2x2) & Bluetooth 5.2 vPro
Intel® Wi-Fi 6 AX201 (2x2), Bluetooth 5.0 or higher

Is one of them to be preferred?

Thanks.

(I know they sell this product also with Ryzen CPU. But the reports on this do 
not look convincing for a production system yet.)

-- 
Kind Regards / MfG
Dr. Lasse Kliemann
Westring 269, 24116 Kiel, Germany
E-Mail: la...@lassekliemann.de
Telegram / Wire: @lassekliemann
Phone: +49 162 66 88 468
 
Work Address:
Department of Mathematics
Kiel University
*Heinrich-Hecht-Platz 6*, 24118 Kiel, Germany
E-Mail: l.kliem...@math.uni-kiel.de

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/878s06aqlk.fsf%40lassekliemann.de.


signature.asc
Description: PGP signature