From 5923741c83471ce06050c8ba38764b35019aef43 Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Mon, 9 May 2011 16:23:52 +0200
Subject: [PATCH 01/12] qubes_netwatcher: add a note about NETCFG untrusted
 origin

---
 proxyvm/bin/qubes_netwatcher | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/proxyvm/bin/qubes_netwatcher b/proxyvm/bin/qubes_netwatcher
index a256807..42ee4a1 100755
--- a/proxyvm/bin/qubes_netwatcher
+++ b/proxyvm/bin/qubes_netwatcher
@@ -13,11 +13,12 @@ trap 'exit 0' SIGTERM
 while true; do
 	NET_DOMID=$(/usr/bin/xenstore-read qubes_netvm_domid)
 	if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
-		NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip)
-		if [[ "$NETCFG" != "$CURR_NETCFG" ]]; then
+		UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip)
+		# UNTRUSTED_NETCFG is not parsed in any way
+		if [[ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]]; then
 			/sbin/service qubes_firewall stop
 			/sbin/service qubes_firewall start
-			CURR_NETCFG="$NETCFG"
+			CURR_NETCFG="$UNTRUSTED_NETCFG"
 			/usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG"
 		fi
 

From 748369c8adf0e151f6173df9fde436458ea149ca Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Mon, 9 May 2011 16:26:48 +0200
Subject: [PATCH 02/12] qubes_netwatcher: expand a note about NETCFG untrusted
 origin

---
 proxyvm/bin/qubes_netwatcher | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/proxyvm/bin/qubes_netwatcher b/proxyvm/bin/qubes_netwatcher
index 42ee4a1..9b9f279 100755
--- a/proxyvm/bin/qubes_netwatcher
+++ b/proxyvm/bin/qubes_netwatcher
@@ -15,6 +15,8 @@ while true; do
 	if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
 		UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip)
 		# UNTRUSTED_NETCFG is not parsed in any way
+		# thus, no sanitization ready
+		# but be careful when passing it to other shell scripts
 		if [[ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]]; then
 			/sbin/service qubes_firewall stop
 			/sbin/service qubes_firewall start

From 93a428573b73d2f1d59fd9f9ac1cb3ab2b9307f9 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Mon, 9 May 2011 18:28:08 +0200
Subject: [PATCH 03/12] version 1.5.24

---
 version_vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_vm b/version_vm
index 07a45d7..81fb4f9 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.5.21
+1.5.24

From 843af5096a9b35461db3664881d9dd10b1f7f11f Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Mon, 9 May 2011 18:40:51 +0200
Subject: [PATCH 04/12] Makefile: update-repo-current-testing target

---
 Makefile | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Makefile b/Makefile
index b07baf6..1a31918 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,7 @@ VERSION_VM := $(shell cat version_vm)
 help:
 	@echo "make rpms                  -- generate binary rpm packages"
 	@echo "make update-repo-current   -- copy newly generated rpms to qubes yum repo"
+	@echo "make update-repo-current-testing  -- same, but to -current-testing repo"
 	@echo "make update-repo-unstable  -- same, but to -testing repo"
 	@echo "make update-repo-installer -- copy dom0 rpms to installer repo"
 	@echo "make clean                 -- cleanup"
@@ -26,6 +27,13 @@ update-repo-current:
 	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc14*.rpm ../yum/current-release/current/vm/f14/rpm/
 	cd ../yum && ./update_repo.sh
 
+update-repo-current-testing:
+	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/current-testing/dom0/rpm/
+	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc13*.rpm ../yum/current-release/current-testing/vm/f13/rpm/
+	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc14*.rpm ../yum/current-release/current-testing/vm/f14/rpm/
+	cd ../yum && ./update_repo.sh
+
+
 update-repo-unstable:
 	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/unstable/dom0/rpm/
 	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc13*.rpm ../yum/current-release/unstable/vm/f13/rpm/

From 432a44be40fc3c62491f40406e291def26c0ae0b Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@mimuw.edu.pl>
Date: Tue, 19 Apr 2011 13:07:13 +0200
Subject: [PATCH 05/12] Fix typo

---
 appvm/qvm-copy-to-vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appvm/qvm-copy-to-vm b/appvm/qvm-copy-to-vm
index 4817b43..ff4d620 100755
--- a/appvm/qvm-copy-to-vm
+++ b/appvm/qvm-copy-to-vm
@@ -49,7 +49,7 @@ while true ; do
 	read agentpid sentsize agentstatus < $PROGRESS_FILE
 	if [ "x"$agentstatus = x ] ; then continue ; fi
 	if ! [ -e /proc/$agentpid ] ; then break ; fi
-	if [ "x"$agentstatus = xdone ] ; then break ; fi
+	if [ "x"$agentstatus = xDONE ] ; then break ; fi
 	CURRSIZE=$(($sentsize/1024))
 	if [ $DO_PROGRESS = 1 ] ; then 
 		echo -ne "\r sent $CURRSIZE/$SIZE KB                   " 

From a2598eae7394698ec696e230b41566c4fca26a47 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@mimuw.edu.pl>
Date: Tue, 19 Apr 2011 13:10:18 +0200
Subject: [PATCH 06/12] Run qubes_core_appvm also in TemplateVM (#222)

---
 appvm/qubes_core_appvm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appvm/qubes_core_appvm b/appvm/qubes_core_appvm
index 32c0833..a4c2465 100755
--- a/appvm/qubes_core_appvm
+++ b/appvm/qubes_core_appvm
@@ -26,7 +26,7 @@ start()
 	fi
 
 	type=$(/usr/bin/xenstore-read qubes_vm_type)
-	if [ "$type" != "AppVM" -a "$type" != "DisposableVM" ]; then
+	if [ "$type" != "AppVM" -a "$type" != "DisposableVM" -a "$type" != "TemplateVM" ]; then
 		# This script runs only on AppVMs
 		return 0
 	fi

From 4e4cf3df01812e7822ea7de7af53fb5d621ebc54 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Tue, 10 May 2011 11:14:41 +0200
Subject: [PATCH 07/12] core-dom0-vaio-fixes is now a separate package

Also fixes to postun scripts to properly handle updates
---
 Makefile           | 16 ++++++++++++----
 version_vaio_fixes |  1 +
 2 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 version_vaio_fixes

diff --git a/Makefile b/Makefile
index 1a31918..6df5998 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,7 @@
 RPMS_DIR=rpm/
 
 VERSION_DOM0 := $(shell cat version_dom0)
+VERSION_VAIO_FIXES := $(shell cat version_vaio_fixes)
 VERSION_VM := $(shell cat version_vm)
 
 help:
@@ -18,24 +19,31 @@ rpms:
 	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-proxyvm.spec
 	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-dom0.spec
 	rpm --addsign \
-		$(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*.rpm \
+		$(RPMS_DIR)/x86_64/qubes-core-dom0-$(VERSION_DOM0)*.rpm \
 		$(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*.rpm
 
+rpms-vaio-fixes:
+	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-dom0-vaio-fixes.spec
+	rpm --addsign $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*.rpm 
+
 update-repo-current:
-	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/current/dom0/rpm/
+	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/current/dom0/rpm/
+	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*fc13*.rpm ../yum/current-release/current/dom0/rpm/
 	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc13*.rpm ../yum/current-release/current/vm/f13/rpm/
 	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc14*.rpm ../yum/current-release/current/vm/f14/rpm/
 	cd ../yum && ./update_repo.sh
 
 update-repo-current-testing:
-	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/current-testing/dom0/rpm/
+	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/current-testing/dom0/rpm/
+	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*fc13*.rpm ../yum/current-release/current-testing/dom0/rpm/
 	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc13*.rpm ../yum/current-release/current-testing/vm/f13/rpm/
 	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc14*.rpm ../yum/current-release/current-testing/vm/f14/rpm/
 	cd ../yum && ./update_repo.sh
 
 
 update-repo-unstable:
-	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/unstable/dom0/rpm/
+	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/unstable/dom0/rpm/
+	ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*fc13*.rpm ../yum/current-release/unstable/dom0/rpm/
 	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc13*.rpm ../yum/current-release/unstable/vm/f13/rpm/
 	ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc14*.rpm ../yum/current-release/unstable/vm/f14/rpm/
 	cd ../yum && ./update_repo.sh
diff --git a/version_vaio_fixes b/version_vaio_fixes
new file mode 100644
index 0000000..32461d5
--- /dev/null
+++ b/version_vaio_fixes
@@ -0,0 +1 @@
+1.5.25

From 920ddd719f5b269e7a603b8e3cdd988973b45ddd Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Tue, 10 May 2011 11:45:01 +0200
Subject: [PATCH 08/12] version 1.2.25

---
 version_vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_vm b/version_vm
index 81fb4f9..32461d5 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.5.24
+1.5.25

From 6a6b140c43c381b8a6754ccae5b90c1cb0c4287b Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Tue, 10 May 2011 12:19:28 +0200
Subject: [PATCH 09/12] qrexec and qfile-*: compile with -pie

For full ASLR.
---
 appvm/Makefile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/appvm/Makefile b/appvm/Makefile
index 4687de6..893e9e9 100644
--- a/appvm/Makefile
+++ b/appvm/Makefile
@@ -1,14 +1,14 @@
 CC=gcc
-CFLAGS=-g -Wall -I../common
+CFLAGS=-g -Wall -I../common -fPIC -pie
 all:	dvm_file_editor qfile-agent-dvm qfile-agent qfile-unpacker
 dvm_file_editor: dvm_file_editor.o ../common/ioall.o
-	$(CC) -g -o dvm_file_editor dvm_file_editor.o ../common/ioall.o
+	$(CC) -pie -g -o dvm_file_editor dvm_file_editor.o ../common/ioall.o
 qfile-agent-dvm: qfile-agent-dvm.o ../common/ioall.o ../common/gui-fatal.o
-	$(CC) -g -o qfile-agent-dvm qfile-agent-dvm.o ../common/ioall.o ../common/gui-fatal.o 
+	$(CC) -pie -g -o qfile-agent-dvm qfile-agent-dvm.o ../common/ioall.o ../common/gui-fatal.o 
 qfile-agent: qfile-agent.o ../common/ioall.o ../common/gui-fatal.o copy_file.o
-	$(CC) -g -o qfile-agent qfile-agent.o ../common/ioall.o ../common/gui-fatal.o copy_file.o
+	$(CC) -pie -g -o qfile-agent qfile-agent.o ../common/ioall.o ../common/gui-fatal.o copy_file.o
 qfile-unpacker: qfile-unpacker.o ../common/ioall.o ../common/gui-fatal.o copy_file.o unpack.o
-	$(CC) -g -o qfile-unpacker qfile-unpacker.o ../common/ioall.o ../common/gui-fatal.o copy_file.o unpack.o
+	$(CC) -pie -g -o qfile-unpacker qfile-unpacker.o ../common/ioall.o ../common/gui-fatal.o copy_file.o unpack.o
 
 clean:
 	rm -f qfile-agent-dvm qfile-agent qfile-unpacker dvm_file_editor *.o *~

From 769ce02ebb88820753579197384ce0dc1cdc3dc8 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Tue, 10 May 2011 12:42:00 +0200
Subject: [PATCH 10/12] version 1.5.26

---
 version_vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_vm b/version_vm
index 32461d5..5b5dc42 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.5.25
+1.5.26

From 6b4e888ca45e5931d6ac7f4adb5a23d77f8482b4 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Mon, 23 May 2011 21:13:56 +0200
Subject: [PATCH 11/12] version 1.5.27-vm

---
 version_vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_vm b/version_vm
index 5b5dc42..f93a854 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.5.26
+1.5.27

From 76e7a526287190e680100443cd6df00191f2a289 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Mon, 23 May 2011 21:39:48 +0200
Subject: [PATCH 12/12] vm: add current-testing repo definitions

---
 common/qubes.fc13.repo | 7 +++++++
 common/qubes.fc14.repo | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/common/qubes.fc13.repo b/common/qubes.fc13.repo
index 3531342..982b095 100644
--- a/common/qubes.fc13.repo
+++ b/common/qubes.fc13.repo
@@ -4,6 +4,13 @@ baseurl = http://yum.qubes-os.org/r1-beta1/current/vm/f13
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-1-primary
 gpgcheck = 1
 
+[qubes-vm-current-testing]
+name = Qubes OS Repository for VM (updates-testing)
+baseurl = http://yum.qubes-os.org/r1-beta1/current-testing/vm/f13
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-1-primary
+gpgcheck = 1
+enabled=0
+
 [qubes-vm-unstable]
 name = Qubes OS Repository for VM (unstable)
 baseurl = http://yum.qubes-os.org/r1-beta1/unstable/vm/f13
diff --git a/common/qubes.fc14.repo b/common/qubes.fc14.repo
index f069148..b10c80c 100644
--- a/common/qubes.fc14.repo
+++ b/common/qubes.fc14.repo
@@ -4,6 +4,13 @@ baseurl = http://yum.qubes-os.org/r1-beta1/current/vm/f14
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-1-primary
 gpgcheck = 1
 
+[qubes-vm-current-testing]
+name = Qubes OS Repository for VM (updates-testing)
+baseurl = http://yum.qubes-os.org/r1-beta1/current-testing/vm/f14
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-1-primary
+gpgcheck = 1
+enabled=0
+
 [qubes-vm-unstable]
 name = Qubes OS Repository for VM (unstable)
 baseurl = http://yum.qubes-os.org/r1-beta1/unstable/vm/f14