Safe process for updating for QSB-067

For a qubes system that doesn’t have the updates for QSB-067 [1], how are the provided update instructions safe? When I run the update command in dom0, why can’t someone launch the exploit on the system as it is downloading the updated RPM software?

Thanks for any explanation anyone can provide.

[1] QSB-067: Multiple RPM vulnerabilities

I’m not clear in what way you think them unsafe, or whether you are
considering dom0 or a template. Perhaps you could clarify?
An attacker would have to have control over packages, as detailed in the
If they have already dropped a compromised package then it is possible
that your template is already compromised.
If they have attacked dom0, then they (may) be able to prevent updates,
but I believe you would notice that when applying this update.

The essence of my question is related to the fact that the vulnerable software is precisely the software I must rely on to patch the vulnerability. This makes me worried that there is a window of opportunity to attack the update process, before the patch has been applied.

I guess the simplest way to clarify my question is this: suppose that nothing in the qubes system is compromised at the moment. Is it the case that the vulnerabilities cannot be exploited as dom0 is executing the patching instructions given in the QSB? Or is it a kind of “cross your fingers” situation, where the attacker must strike NOW because after this update the system will be immune to the attack.

To elaborate, is it the case that if the attacker corrupts the patch for dom0 as RPM is downloading it, that I will see an error message and the corrupted package won’t get executed? If that’s the case, then is the following the safe way to do this update?
First, run

sudo qubes-dom0-update

Second, check that the installed versions of the packages rpm, qubes-core-dom0-linux, and qubes-mgmt-salt-dom0-update match (or exceed) the versions in the QSB. Here we rely on the fact that the attacker didn’t get us to executed his corrupted version of RPM.

Third, delete un-patched fedora templates, and reinstall then through the patched dom0 RPM.

Is it correct to understand that during that procedure, there is no window of opportunity for an attacker?


Dear unman: please let me know if my second post didn’t clarify things enough. I hope it’s clear that I’m essentially worried about dom0. This is because I believe that I can just re-install fresh fedora templates once I have updated dom0 (as described in my second post).


That’s very clear. Thanks.
These are vulnerabilities in the rpm/dnf process.
Until they are patched your system is,(will have been), vulnerable to

For dom0, the attacker would have to have had control over the packages
that are installed. This could be done by compromising a repository or
the updateVM.
I don’t believe that an attacker could prevent install of this updated
package, but that’s what the “check the installed versions” is