[qubes-users] QSB #060: Multiple Xen issues (XSA-345, XSA-346, XSA-347)

adw · October 20, 2020, 10:00pm

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #060: Multiple Xen
issues (XSA-345, XSA-346, XSA-347). The text of this QSB is reproduced
below. This QSB and its accompanying signatures will always be available
in the Qubes Security Pack (qubes-secpack).

*Special note:* Although XSA-345 is included in this QSB, we do not
consider XSA-345 to affect the security of Qubes OS [1], since the
default configuration is safe, and we have already implemented
appropriate safeguards to prevent users from changing to a vulnerable
configuration by accident. Please see the Impact section in QSB #060
below for further details.

[1] https://www.qubes-os.org/news/2020/10/20/xsa-286-331-332-345-qubes-not-affected/

View QSB #060 in the qubes-secpack:

github.com

QubesOS/qubes-secpack/blob/master/QSBs/qsb-060-2020.txt



             ---===[ Qubes Security Bulletin #60 ]===---

                             2020-10-20


           Multiple Xen issues (XSA-345, XSA-346, XSA-347)


Summary
========

On 2020-10-20, the Xen Security Team published the following Xen
Security Advisories (XSAs):

XSA-345 [1] "x86: Race condition in Xen mapping code":
| The Xen code handling the updating of the hypervisor's own pagetables
| tries to use 2MiB and 1GiB superpages as much as possible to maximize
| TLB efficiency.  Some of the operations for checking and coalescing

This file has been truncated. show original

Learn about the qubes-secpack, including how to obtain, verify, and read it:

View all past QSBs:

View the associated XSAs in the XSA Tracker:

```

---===[ Qubes Security Bulletin #60 ]===---

2020-10-20

Multiple Xen issues (XSA-345, XSA-346, XSA-347)

Summary

(Attachment OpenPGP_signature is missing)

fiftyfourthparallel · October 22, 2020, 9:19am

XSA-346, XSA-457: A malicious domain with a PCI device (e.g., sys-net or
sys-usb in the default configuration) could try to exploit this
vulnerability in order to crash the host.

Just wanted to point out that there’s a very minor typo here (‘XSA-457’). Also, since the last QSB was posted on Discourse, I was wondering if this should be too.

Edit: Disregard the last sentence–I just noticed that posts in Qubes-Users gets linked here.

adw · October 24, 2020, 10:41am

Thank you for pointing out the typo. We’ll get that fixed in the repo and website versions.

adw · October 24, 2020, 11:29am

XSA-346, XSA-457: A malicious domain with a PCI device (e.g., sys-net or
sys-usb in the default configuration) could try to exploit this
vulnerability in order to crash the host.

Just wanted to point out that there's a very minor typo here ('XSA-457').

Thank you for pointing out the typo. We'll make sure this gets fixed in the repo and website versions.

Also, since the last QSB was posted on Discourse, I was wondering if this
should be too.

It's automatic, but there might be a delay.

(Attachment OpenPGP_signature is missing)