The kernel version on my install is: 6.18.19-1.qubes.fc41.x86_64.
Is this kernel safe?
If not where is a safe kernel?
Thanks in advance.
1 Like
You can get more recent kernels by updating dom0. If you install the
kernel-latest package in dom0, you’ll get the most recent release. If
you enable testing repositories in dom0, you will get more recent but
they will be testing releases(naturally).
Latest available is 6.19.14-1
3 Likes
I did tried to update qubesos/dom0 using the below commands:
sudo update.qubes-vm
sudo qubes-dom0-update
I get a message referring to, there is no update available.
1 Like
I tried the command:
sudo qubes-dom0-update kernel-latest kernel-latest-qubes-vm
and the system updated to kernel 6.19.5-1, so almost at .14.
I then choose 6.19.5-1 in global configuration.
System is okay, but still no 6.19.14-1.
Will check in a few days.
1 Like
Doesn’t matter anyway because you have a single user system with passwordless sudo.
Just relax.
3 Likes
Many users have removed the qubes-core-agent-passwordless-root package from their templates so they can use sudo for better security. With this bug, it’s possible to gain root access in AppVMs where sudo has been enabled this way, and in my opinion the kernel-latest that patches this issue should be made available as soon as possible.
3 Likes
The latest testing kernel for VMs can be installed, and prevents the exploit script from working.
BUT I reckon you must know that it is not considered tested, and if something breaks then it is all your problem.
Make sure you have full backup, and that it is usable, before you install it. Ideally, keep the regular stable kernel for any unexposed qubes.
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing kernel-latest-qubes-vm
It did not seem to break anything obvious, but I only tried it on a testing machine. Of course, it did break the python copy.fail exploit script!
Interestingly, the exploit script only seems to work on a setuid program with read access for the user, so running chmod -r on all setuid executables may be sufficient to prevent exploitation. Not sure if there is a workaround for this, though…
3 Likes
For readers information:
The proof of Copy Fail’s threat comes through the ease of using the exploit, according to Theori. A 732-byte Python script reportedly gains root on virtually every Linux distro released since 2017, including Ubuntu, Red Hat Enterprise Linux, Amazon Linux, and Debian.
As of this writing, the only available patches are for Arch Linux and Red Hat Fedora. Given the seriousness of the vulnerability, it’s recommend that you install the fix as soon as possible.
And I am far less competent than most of those who have posted here.
I just wanted to point out to watch Fedora boards for how to fix, and whether the fix works.
Meaning when that fix is applied to the versions of Fedora Qubes uses, particularly dom0.
1 Like
Thanks everyone!
1 Like
Don’t forget “Dirty Frag” too.
I am not surprised and predict others. That’s why I’m running [reasonably secure] Qubes.
3 Likes