Closed v6ak closed 8 years ago
Automated announcement from builder-github
The package python2-dnf-plugins-qubes-hooks-3.1.17-1.fc21
has been pushed to the r3.1
testing repository for the Fedora fc21
template.
To test this update, please install it with the following command:
sudo yum update --enablerepo=qubes-vm-r3.1-current-testing
Automated announcement from builder-github
The package python2-dnf-plugins-qubes-hooks-3.1.17-1.fc22
has been pushed to the r3.1
testing repository for the Fedora fc22
template.
To test this update, please install it with the following command:
sudo yum update --enablerepo=qubes-vm-r3.1-current-testing
Automated announcement from builder-github
The package python2-dnf-plugins-qubes-hooks-3.1.17-1.fc23
has been pushed to the r3.1
testing repository for the Fedora fc23
template.
To test this update, please install it with the following command:
sudo yum update --enablerepo=qubes-vm-r3.1-current-testing
Automated announcement from builder-github
The package qubes-core-agent_3.1.17-1+deb8u1
has been pushed to the r3.1
testing repository for the Debian jessie
template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list
by uncommenting the line containing jessie-testing
, then use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
Automated announcement from builder-github
The package qubes-core-agent_3.1.17-1+deb9u1
has been pushed to the r3.1
testing repository for the Debian stretch
template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list
by uncommenting the line containing stretch-testing
, then use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
Automated announcement from builder-github
The package qubes-core-agent_3.1.17-1+deb7u1
has been pushed to the r3.1
testing repository for the Debian wheezy
template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list
by uncommenting the line containing wheezy-testing
, then use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
cat /etc/apt/sources.list.d/qubes-r3.list
# Main qubes updates repository
deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie main
# Qubes updates candidates repository
deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie-testing main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie-testing main
# Qubes security updates testing repository
deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie-securitytesting main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie-securitytesting main
# Qubes experimental/unstable repository
#deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie-unstable main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie-unstable main
dpkg -l | grep qubes-core-agent
ii qubes-core-agent 3.1.17-1+deb8u1 amd64 Qubes core agent
But I do not have qubes.OpenURL
.
The package qubes-core-agent_3.1.17-1+deb8u1 has been pushed to the r3.1 testing repository for the Debian jessie template.
So did I mess something up or was some mistake or there is some bug in Automated announcement from builder-github
?
This ticket isn't about qubes.OpenURL
service. It's about XSS in opening URLs by qubes.OpenInVM
. Which is also fixed by implementing separate service for that, but that's only done in R3.2.
Ticket for qubes.OpenURL
is here: https://github.com/QubesOS/qubes-issues/issues/1487
And packages are already uploaded (builder-github wasn't enabled for R3.2 before rc1 release).
Automated announcement from builder-github
The package qubes-upgrade-vm-3.1-1.fc21
has been pushed to the r3.1
stable repository for the Fedora fc21
template.
To install this update, please use the standard update command:
sudo yum update
Automated announcement from builder-github
The package qubes-upgrade-vm-3.1-1.fc22
has been pushed to the r3.1
stable repository for the Fedora fc22
template.
To install this update, please use the standard update command:
sudo yum update
Automated announcement from builder-github
The package qubes-upgrade-vm-3.1-1.fc23
has been pushed to the r3.1
stable repository for the Fedora fc23
template.
To install this update, please use the standard update command:
sudo yum update
Automated announcement from builder-github
The package qubes-core-agent_3.1.17-1+deb8u1
has been pushed to the r3.1
stable repository for the Debian jessie
template.
To install this update, please use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
Automated announcement from builder-github
The package qubes-core-agent_3.1.17-1+deb9u1
has been pushed to the r3.1
stable repository for the Debian stretch
template.
To install this update, please use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
Automated announcement from builder-github
The package qubes-core-agent_3.1.17-1+deb7u1
has been pushed to the r3.1
stable repository for the Debian wheezy
template.
To install this update, please use the standard update command:
sudo apt-get update && sudo apt-get dist-upgrade
I've found a XSS that has probably no impact (i.e. many prerequisities and nothing gained today), but I feel it is not a good practice.
When I try to open an URL, it is wrapped to a HTML page using /usr/lib/qubes/wrap-in-html-if-url.sh . When an application passes a bad URL to it, it may cause a XSS in the HTML page. The page is opened in a file:// context, which implies different cross-origin-policies for different browser:
Fortunately, the file is located in
/tmp/<vm name>/
, so the attacker should not be able to read DVM's files. However, you will probably agree that this is somehow fragile.Attack variants: a. HTML injection: URL might look like
https://www.google.com/?q="><script>alert(location)</script>
. This starts innocently and is likely to pass through many filters. b. JS scheme likejavascript://%0d%0aalert(location)
. This does not look so innocent (and apps should arguably not allow that), but still IMHO worth of preventing.Preventions:
a. Reject any invalid characters from the URL. (One still should escape the
&
at least…) b. Escape it. (I also suggest adding content-type meta tag to the document and sanitizing the utf-8 in such case.)