From 2950ee717005eb148461c83a92eb088c9a542f92 Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Fri, 16 Sep 2011 17:05:41 +0200
Subject: [PATCH 1/4] Make qubes-receive-updates more defensive (#356)

---
 dom0/aux-tools/qubes-receive-updates | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/dom0/aux-tools/qubes-receive-updates b/dom0/aux-tools/qubes-receive-updates
index af386090..366066cc 100755
--- a/dom0/aux-tools/qubes-receive-updates
+++ b/dom0/aux-tools/qubes-receive-updates
@@ -20,6 +20,7 @@
 #
 #
 import os
+import os.path
 import re
 import sys
 import subprocess
@@ -33,6 +34,7 @@ updates_rpm_dir = updates_dir + "/rpm"
 updates_repodata_dir = updates_dir + "/repodata"
 
 package_regex = re.compile(r"^[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._+-]{1,128}.rpm$")
+gpg_ok_regex = re.compile(r"pgp md5 OK$")
 
 def dom0updates_fatal(msg):
     print >> sys.stderr, msg
@@ -56,13 +58,16 @@ def handle_dom0updates(updatevm):
     subprocess.check_call(["/usr/lib/qubes/qfile-dom0-unpacker", str(os.getuid()), updates_rpm_dir])
     # Verify received files
     for f in os.listdir(updates_rpm_dir):
+        full_path = updates_rpm_dir + "/" + f
         if package_regex.match(f):
-            p = subprocess.Popen (["/bin/rpm", "-K", updates_rpm_dir + "/" + f],
+            if os.path.islink(full_path) or not os.path.isfile(full_path):
+                dom0updates_fatal('Domain ' + source + ' sent not regular file')
+            p = subprocess.Popen (["/bin/rpm", "-K", full_path],
                     stdout=subprocess.PIPE)
             output = p.communicate()[0]
             if p.returncode != 0:
                 dom0updates_fatal('Error while verifing %s signature: %s' % (f, output))
-            if output.find("pgp") < 0:
+            if not gpg_ok_regex.search(output.strip()):
                 dom0updates_fatal('Domain ' + source + ' sent not signed rpm: ' + f)
         else:
             dom0updates_fatal('Domain ' + source + ' sent unexpected file: ' + f)

From bbccdd30a05cfee035c99e3be2dfb4760a351bff Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Fri, 16 Sep 2011 17:24:34 +0200
Subject: [PATCH 2/4] version 1.6.31-dom0

---
 version_dom0 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_dom0 b/version_dom0
index 14781be7..599e1a15 100644
--- a/version_dom0
+++ b/version_dom0
@@ -1 +1 @@
-1.6.30
+1.6.31

From 59f71f634af596c8fe2ef507509bf1ae850286c7 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Mon, 26 Sep 2011 17:24:11 +0200
Subject: [PATCH 3/4] dom0: Fix xenstore permissions qubes_netvm_external_ip

We should ensure that the first expression in the permisions list
is nX, where X is the owning domain, and not rX or wX, as otherwise
we would be granting all other VMs read access to the key.

This is explained in more detail here:

http://wiki.xensource.com/xenwiki/XenBus

In practice the perms problem applied only to the qubes_netvm_external_ip key
that is exposed by each NetVM to corresponding Proxy VMs. Before this fix,
the key was readable by any VM in the system, which might not be desired in some
more advanced networking setups, such as with Tor Proxy VM.
---
 dom0/qvm-core/qubes.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index fbb0ec1f..d5c19a0f 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1446,8 +1446,7 @@ class QubesNetVm(QubesVm):
                 "/local/domain/{0}/qubes_netvm_external_ip".format(xid)
             ]
 
-        command.append("r{0}".format(xid,xid))
-        command.append("w{0}".format(xid,xid))
+        command.append("n{0}".format(xid))
 
         for id in self.__external_ip_allowed_xids:
             command.append("r{0}".format(id))

From e6585a85a648d91b7567393776e82a6d6f0b66c6 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Mon, 26 Sep 2011 17:54:50 +0200
Subject: [PATCH 4/4] version 1.6.32-dom0

---
 version_dom0 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_dom0 b/version_dom0
index 599e1a15..e0380928 100644
--- a/version_dom0
+++ b/version_dom0
@@ -1 +1 @@
-1.6.31
+1.6.32