almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Security advisory 2023-10-25: prevent dz-dvm network via dispVMs

Browse source 
In Qubes the disposable netVM is internet connected. For this reason,
on Qubes we chose create our own disposable VM (dz-dvm). However, in
reality this could still be bypassed since dz-dvm had the default
disposable dispvm.

By setting the default_dispvm to '' we prevent this bypass. For VMs
users who have already followed the setup instructions, the following
command should (to be ran in dom0) will fix this issue:

   qvm-prefs dz-dvm default_dispvm ''
This commit is contained in:
deeplow 2023-10-25 17:12:36 +01:00
parent 0aeef1c2d0
commit 5acb96884a
No known key found for this signature in database
GPG key ID: 577982871529A52A
2 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
INSTALL.md
View file

@ -137,6 +137,10 @@ After confirming that it matches, type `y` (for yes) and the installation should
> want to try out the stable Dangerzone version (which uses containers instead > want to try out the stable Dangerzone version (which uses containers instead
> of virtual machines for isolation), please follow the Fedora or Debian > of virtual machines for isolation), please follow the Fedora or Debian
> instructions and adapt them as needed. > instructions and adapt them as needed.
>
> **If you followed these instructions before October 25, 2023, please read [this security advisory](docs/advisories/2023-10-25.md).**
> This notice will be removed with the 1.0.0 release of Dangerzone.
> [!IMPORTANT] > [!IMPORTANT]
> This section will install Dangerzone in your **default template** > This section will install Dangerzone in your **default template**
@ -160,7 +164,7 @@ template. This will be the qube where the documents will be sanitized:
``` ```
qvm-create --class AppVM --label red --template fedora-38 \ qvm-create --class AppVM --label red --template fedora-38 \
--prop netvm="" --prop template_for_dispvms=True \ --prop netvm="" --prop template_for_dispvms=True \
dz-dvm --prop default_dispvm='' dz-dvm
``` ```
Add an RPC policy (`/etc/qubes/policy.d/50-dangerzone.policy`) that will Add an RPC policy (`/etc/qubes/policy.d/50-dangerzone.policy`) that will
@ -192,6 +196,7 @@ column to "Selected".
You can now launch Dangerzone from the list of applications for your qube, and You can now launch Dangerzone from the list of applications for your qube, and
pass it a file to sanitize. pass it a file to sanitize.
## Build from source ## Build from source
If you'd like to build from source, follow the [build instructions](BUILD.md). If you'd like to build from source, follow the [build instructions](BUILD.md).

13
docs/advisories/2023-10-25.md Normal file
View file

@ -0,0 +1,13 @@
# Security Advisory 2023-10-25
For users testing our [new Qubes integration (beta)](https://github.com/freedomofpress/dangerzone/blob/main/INSTALL.md#qubes-os), please note that our instructions were missing a configuration detail for disposable VMs which is necessary to fully harden the configuration.
These instructions apply to users who followed the setup instructions **before October 25, 2023**.
**What you need to do:** run the following command in dom0:
```bash
qvm-prefs dz-dvm default_dispvm ''
```
**Explanation**: In Qubes OS, the default template for disposable VMs is network-connected. For this reason, we instruct users to create their own disposable VM (`dz-dvm`). However, adversaries with the ability to execute commands on `dz-dvm` would also be able open new disposable VMs with the default settings. By setting the default_dispvm to "none" we prevent this bypass.