From 5923741c83471ce06050c8ba38764b35019aef43 Mon Sep 17 00:00:00 2001 From: Rafal Wojtczuk Date: Mon, 9 May 2011 16:23:52 +0200 Subject: [PATCH 1/4] qubes_netwatcher: add a note about NETCFG untrusted origin --- proxyvm/bin/qubes_netwatcher | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/proxyvm/bin/qubes_netwatcher b/proxyvm/bin/qubes_netwatcher index a256807..42ee4a1 100755 --- a/proxyvm/bin/qubes_netwatcher +++ b/proxyvm/bin/qubes_netwatcher @@ -13,11 +13,12 @@ trap 'exit 0' SIGTERM while true; do NET_DOMID=$(/usr/bin/xenstore-read qubes_netvm_domid) if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then - NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip) - if [[ "$NETCFG" != "$CURR_NETCFG" ]]; then + UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip) + # UNTRUSTED_NETCFG is not parsed in any way + if [[ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]]; then /sbin/service qubes_firewall stop /sbin/service qubes_firewall start - CURR_NETCFG="$NETCFG" + CURR_NETCFG="$UNTRUSTED_NETCFG" /usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG" fi From 748369c8adf0e151f6173df9fde436458ea149ca Mon Sep 17 00:00:00 2001 From: Rafal Wojtczuk Date: Mon, 9 May 2011 16:26:48 +0200 Subject: [PATCH 2/4] qubes_netwatcher: expand a note about NETCFG untrusted origin --- proxyvm/bin/qubes_netwatcher | 2 ++ 1 file changed, 2 insertions(+) diff --git a/proxyvm/bin/qubes_netwatcher b/proxyvm/bin/qubes_netwatcher index 42ee4a1..9b9f279 100755 --- a/proxyvm/bin/qubes_netwatcher +++ b/proxyvm/bin/qubes_netwatcher @@ -15,6 +15,8 @@ while true; do if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip) # UNTRUSTED_NETCFG is not parsed in any way + # thus, no sanitization ready + # but be careful when passing it to other shell scripts if [[ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]]; then /sbin/service qubes_firewall stop /sbin/service qubes_firewall start From 93a428573b73d2f1d59fd9f9ac1cb3ab2b9307f9 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 9 May 2011 18:28:08 +0200 Subject: [PATCH 3/4] version 1.5.24 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 07a45d7..81fb4f9 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.5.21 +1.5.24 From 843af5096a9b35461db3664881d9dd10b1f7f11f Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 9 May 2011 18:40:51 +0200 Subject: [PATCH 4/4] Makefile: update-repo-current-testing target --- Makefile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Makefile b/Makefile index b07baf6..1a31918 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,7 @@ VERSION_VM := $(shell cat version_vm) help: @echo "make rpms -- generate binary rpm packages" @echo "make update-repo-current -- copy newly generated rpms to qubes yum repo" + @echo "make update-repo-current-testing -- same, but to -current-testing repo" @echo "make update-repo-unstable -- same, but to -testing repo" @echo "make update-repo-installer -- copy dom0 rpms to installer repo" @echo "make clean -- cleanup" @@ -26,6 +27,13 @@ update-repo-current: ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc14*.rpm ../yum/current-release/current/vm/f14/rpm/ cd ../yum && ./update_repo.sh +update-repo-current-testing: + ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/current-testing/dom0/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc13*.rpm ../yum/current-release/current-testing/vm/f13/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc14*.rpm ../yum/current-release/current-testing/vm/f14/rpm/ + cd ../yum && ./update_repo.sh + + update-repo-unstable: ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*fc13*.rpm ../yum/current-release/unstable/dom0/rpm/ ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*fc13*.rpm ../yum/current-release/unstable/vm/f13/rpm/