[qubes-users] XSAs released on 2022-01-25

[Andrew David Wong]

Dear Qubes Community,

The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.


XSAs that affect the security of Qubes OS (user action required)


The following XSAs *do affect* the security of Qubes OS:

- XSA-395

Please see *QSB-075* for the actions users must take in order to
protect themselves, as well as further details about these XSAs:




XSAs that do not affect the security of Qubes OS (no user action required)
--

The following XSAs *do not affect* the security of Qubes OS, and no user 
action is necessary:


- XSA-393 (ARM architectures only)
- XSA-394 (denial-of-service only)


Related links
-

- Xen XSA list: 
- Qubes XSA tracker: 
- Qubes security pack (qubes-secpack): 


- Qubes security bulletins (QSBs): 

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/01/25/xsas-released-on-2022-01-25/

--
Andrew David Wong
Community Manager
The Qubes OS Project
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/db89a0a4-3184-a34a-aaf3-c76ea5819730%40qubes-os.org.

[qubes-users] QSB-075: Insufficient cleanup of passed-through device IRQs (XSA-395)

[Andrew David Wong]

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 075: Insufficient
cleanup of passed-through device IRQs (XSA-395). The text of this QSB
is reproduced below. This QSB and its accompanying signatures will
always be available in the Qubes Security Pack (qubes-secpack).

View QSB-075 in the qubes-secpack:



In addition, you may wish to:

- Get the qubes-secpack: 
- View all past QSBs: 
- View the XSA Tracker: 

```

 ---===[ Qubes Security Bulletin 075 ]===---

 2022-01-25

Insufficient cleanup of passed-through device IRQs (XSA-395)


User action required
-

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0, in dom0:
  - Xen packages, version 4.8.5-37

  For Qubes 4.1, in dom0:
  - Xen packages, version 4.14.3-8

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new Xen
binaries.


Summary


On 2022-01-25, the Xen project published XSA-395, "Insufficient cleanup
of passed-through device IRQs" [3]:

| The management of IRQs associated with physical devices exposed to x86
| HVM guests involves an iterative operation in particular when cleaning
| up after the guest's use of the device.  In the case where an
| interrupt is not quiescent yet at the time this cleanup gets invoked,
| the cleanup attempt may be scheduled to be retried.  When multiple
| interrupts are involved, this scheduling of a retry may get
| erroneously skipped.  At the same time pointers may get cleared
| (resulting in a de-reference of NULL) and freed (resulting in a
| use-after-free), while other code would continue to assume them to be
| valid.


Impact
---

The precise impact is system-specific but would typically be a denial of
service (DoS) affecting the entire host.  Privilege escalation and
information leaks cannot be ruled out.

Only x86 HVM guests with one or more passed-through physical devices
using multiple physical interrupts together can exploit this
vulnerability. In Qubes, this generally applies to sys-usb and sys-net,
but whether the relevant devices use multiple interrupts together is
system-specific.


Credits


See the original Xen Security Advisory.


References
---

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-395.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/01/25/qsb-075/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0d5d5b5c-5411-e2ed-f081-36a847b0911a%40qubes-os.org.

Re: [qubes-users] 4.1: Unlock screen -> no qube windows

['Rune Philosof' via qubes-users]

What scripts are run when you log in?
I have searched in vain for the script that connects already running
windows to the session I just created.
It would be nice to be able to reconnect the windows without having to log
out and in again. Also it might help me understand what the problem is.

On Mon, Jan 17, 2022 at 1:51 PM 'Rune Philosof' via qubes-users <
qubes-users@googlegroups.com> wrote:

> Some times when I unlock my screen my desktop is completely empty, except
> for dom0 windows.
> The qubes still run, for instance I can still chat in an active Google
> Meet, just can't see the window.
> The windows are completely gone, as in not visible in the panel, taskbar,
> or workspace_switcher.
> If I then log out and in again, the windows reappear.
>
> Felt a bit odd to stay in a meeting while logging out and back in again. :)
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/qubes-users/D0I_Boj2Seo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/90a68260-3318-4364-b888-d0d7d7519da5n%40googlegroups.com
> 
> .
>


-- 

Med venlig hilsen / Best regards

Rune Philosof

Software developer

+45 28 45 64 08

r...@abtion.com




Vesterbrogade 15, 3

1620 København V

Sverigesgade 18

5000 Odense C

abtion.com

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAL8J5gbnFffFpSvdKwwGruPssUzAe2EYcmqHQi_rs7VYtXHuMA%40mail.gmail.com.

Re: [qubes-users] Help using qubes as testing VMs

[Peter Funk]

Eric W. Biederman schrieb am Monday, den 24.01.2022 um 12:01:
...
> >>> https://www.qubes-os.org/doc/firewall has information about enabling
> >>> networking between qubes.
...
> > nft flush ruleset
...
> In particular "nft flush ruleset" was needed before any iptables changes
> were reflected in the forwarding behavior.

Very interesting! I've a comparable setup in my qubes-firewall-user-script 
but since the fedora-34 template receive updates so frequently I've
switched template for my sys-firewall to debian-11.  For me this 
`nft flush ruleset` command wasn't necessary.

I will try to switch my sys-firewall back to the fedora-34 to see if
this will break things for me and if adding this command will fix it.  
Thank you for figuring this out.

Best regards, Peter Funk
-- 
Peter Funk ✉:Oldenburger Str.86, 2 Ganderkesee, Germany; 📱:+49-179-640-8878 
homeoffice ☎:+49-4222-950270
office ✉: ArtCom GmbH, Haferwende 2, D-28357 Bremen, Germany; ☎:+49-421-20419-0

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YfAEK%2BQ4zIUEgO5u%40work.