[qubes-users] QSB-067: Multiple RPM vulnerabilities

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 067: Multiple RPM
vulnerabilities. The text of this QSB is reproduced below. This QSB and
its accompanying signatures will always be available in the Qubes
Security Pack (qubes-secpack).

View QSB-067 in the qubes-secpack:

Learn about the qubes-secpack, including how to obtain, verify, and read it:

View all past QSBs:

```

              ---===[ Qubes Security Bulletin 067 ]===---

                              2021-03-19

                      Multiple RPM vulnerabilities

User action required

Hi, I’ve tried to install the updates. Even after removing systemtap and when using --clean, I am unable to install it. IIUC, I am trying to install it too soon:

$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing --clean
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time…
40 files removed
Fedora 25 - x86_64 - Updates 272 kB/s | 24 MB 01:29
Fedora 25 - x86_64 3.6 MB/s | 50 MB 00:14
Qubes Dom0 Repository (updates) 1.3 MB/s | 1.3 MB 00:01
Qubes Dom0 Repository (security-testing) 1.5 MB/s | 3.0 MB 00:02
determining the fastest mirror (14 hosts)… done.-- B/s | 0 B --:-- ETA
Qubes Templates repository 2.2 kB/s | 5.9 kB 00:02
Error:
Problem 1: problem with installed package satyr-0.21-2.fc25.x86_64

  • cannot install the best update candidate for package satyr-0.21-2.fc25.x86_64
  • nothing provides librpm.so.8()(64bit) needed by satyr-0.21-2.1.fc25.x86_64
    Problem 2: problem with installed package qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
  • cannot install the best update candidate for package qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
  • nothing provides rpm >= 4.14 needed by qubes-core-dom0-linux-4.0.29-1.fc25.x86_64
    Problem 3: problem with installed package python3-hawkey-0.6.4-3.fc25.x86_64
  • cannot install the best update candidate for package python3-hawkey-0.6.4-3.fc25.x86_64
  • nothing provides librpm.so.8()(64bit) needed by python3-hawkey-0.6.4-3.1.fc25.x86_64
  • nothing provides librpmio.so.8()(64bit) needed by python3-hawkey-0.6.4-3.1.fc25.x86_64
    Problem 4: problem with installed package libsolv-0.6.29-2.fc25.x86_64
  • cannot install the best update candidate for package libsolv-0.6.29-2.fc25.x86_64
  • nothing provides librpm.so.8()(64bit) needed by libsolv-0.6.29-2.1.fc25.x86_64
    Problem 5: problem with installed package hawkey-0.6.4-3.fc25.x86_64
  • cannot install the best update candidate for package hawkey-0.6.4-3.fc25.x86_64
  • nothing provides librpm.so.8()(64bit) needed by hawkey-0.6.4-3.1.fc25.x86_64
  • nothing provides librpmio.so.8()(64bit) needed by hawkey-0.6.4-3.1.fc25.x86_64
    Problem 6: problem with installed package drpm-0.3.0-3.fc25.x86_64
  • cannot install the best update candidate for package drpm-0.3.0-3.fc25.x86_64
  • nothing provides librpm.so.8()(64bit) needed by drpm-0.3.0-3.1.fc25.x86_64
  • nothing provides librpmio.so.8()(64bit) needed by drpm-0.3.0-3.1.fc25.x86_64
    Problem 7: problem with installed package deltarpm-3.6-17.fc25.x86_64
  • cannot install the best update candidate for package deltarpm-3.6-17.fc25.x86_64
  • nothing provides librpm.so.8()(64bit) needed by deltarpm-3.6-17.1.fc25.x86_64
  • nothing provides librpmio.so.8()(64bit) needed by deltarpm-3.6-17.1.fc25.x86_64
    Problem 8: problem with installed package createrepo_c-libs-0.10.0-6.fc25.x86_64
  • cannot install the best update candidate for package createrepo_c-libs-0.10.0-6.fc25.x86_64
  • nothing provides librpm.so.8()(64bit) needed by createrepo_c-libs-0.10.0-6.1.fc25.x86_64
  • nothing provides librpmio.so.8()(64bit) needed by createrepo_c-libs-0.10.0-6.1.fc25.x86_64
    Problem 9: problem with installed package createrepo_c-0.10.0-6.fc25.x86_64
  • cannot install the best update candidate for package createrepo_c-0.10.0-6.fc25.x86_64
  • nothing provides librpm.so.8()(64bit) needed by createrepo_c-0.10.0-6.1.fc25.x86_64
  • nothing provides librpmio.so.8()(64bit) needed by createrepo_c-0.10.0-6.1.fc25.x86_64
    Problem 10: problem with installed package PackageKit-1.1.5-1.fc25.x86_64
  • cannot install the best update candidate for package PackageKit-1.1.5-1.fc25.x86_64
  • nothing provides librpm.so.8()(64bit) needed by PackageKit-1.1.5-1.1.fc25.x86_64
  • nothing provides librpmio.so.8()(64bit) needed by PackageKit-1.1.5-1.1.fc25.x86_64
    Problem 11: problem with installed package python2-deltarpm-3.6-17.fc25.x86_64
  • cannot install the best update candidate for package python2-deltarpm-3.6-17.fc25.x86_64
  • package python2-deltarpm-3.6-17.1.fc25.x86_64 requires deltarpm(x86-64) = 3.6-17.1.fc25, but none of the providers can be installed
  • nothing provides librpm.so.8()(64bit) needed by deltarpm-3.6-17.1.fc25.x86_64
  • nothing provides librpmio.so.8()(64bit) needed by deltarpm-3.6-17.1.fc25.x86_64
    (try to add ‘–skip-broken’ to skip uninstallable packages)

Regards,
Vít Šesták ‘v6ak’

Hi, I've tried to install the updates. Even after removing systemtap and
when using --clean, I am unable to install it. IIUC, I am trying to install
it too soon:

$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing --clean
Using sys-firewall as UpdateVM to download updates for Dom0; this may take
some time...
40 files removed
Fedora 25 - x86_64 - Updates 272 kB/s | 24 MB
01:29
Fedora 25 - x86_64 3.6 MB/s | 50 MB
00:14
Qubes Dom0 Repository (updates) 1.3 MB/s | 1.3 MB
00:01
Qubes Dom0 Repository (security-testing) 1.5 MB/s | 3.0 MB
00:02
determining the fastest mirror (14 hosts).. done.-- B/s | 0 B --:--
ETA
Qubes Templates repository 2.2 kB/s | 5.9 kB
00:02
Error:
  Problem 1: problem with installed package satyr-0.21-2.fc25.x86_64
   - cannot install the best update candidate for package
satyr-0.21-2.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
satyr-0.21-2.1.fc25.x86_64
  Problem 2: problem with installed package
qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
   - cannot install the best update candidate for package
qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
   - nothing provides rpm >= 4.14 needed by
qubes-core-dom0-linux-4.0.29-1.fc25.x86_64
  Problem 3: problem with installed package
python3-hawkey-0.6.4-3.fc25.x86_64
   - cannot install the best update candidate for package
python3-hawkey-0.6.4-3.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
python3-hawkey-0.6.4-3.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
python3-hawkey-0.6.4-3.1.fc25.x86_64
  Problem 4: problem with installed package libsolv-0.6.29-2.fc25.x86_64
   - cannot install the best update candidate for package
libsolv-0.6.29-2.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
libsolv-0.6.29-2.1.fc25.x86_64
  Problem 5: problem with installed package hawkey-0.6.4-3.fc25.x86_64
   - cannot install the best update candidate for package
hawkey-0.6.4-3.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
hawkey-0.6.4-3.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
hawkey-0.6.4-3.1.fc25.x86_64
  Problem 6: problem with installed package drpm-0.3.0-3.fc25.x86_64
   - cannot install the best update candidate for package
drpm-0.3.0-3.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
drpm-0.3.0-3.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
drpm-0.3.0-3.1.fc25.x86_64
  Problem 7: problem with installed package deltarpm-3.6-17.fc25.x86_64
   - cannot install the best update candidate for package
deltarpm-3.6-17.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
  Problem 8: problem with installed package
createrepo_c-libs-0.10.0-6.fc25.x86_64
   - cannot install the best update candidate for package
createrepo_c-libs-0.10.0-6.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
createrepo_c-libs-0.10.0-6.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
createrepo_c-libs-0.10.0-6.1.fc25.x86_64
  Problem 9: problem with installed package createrepo_c-0.10.0-6.fc25.x86_64
   - cannot install the best update candidate for package
createrepo_c-0.10.0-6.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
createrepo_c-0.10.0-6.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
createrepo_c-0.10.0-6.1.fc25.x86_64
  Problem 10: problem with installed package PackageKit-1.1.5-1.fc25.x86_64
   - cannot install the best update candidate for package
PackageKit-1.1.5-1.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
PackageKit-1.1.5-1.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
PackageKit-1.1.5-1.1.fc25.x86_64
  Problem 11: problem with installed package
python2-deltarpm-3.6-17.fc25.x86_64
   - cannot install the best update candidate for package
python2-deltarpm-3.6-17.fc25.x86_64
   - package python2-deltarpm-3.6-17.1.fc25.x86_64 requires deltarpm(x86-64)
= 3.6-17.1.fc25, but none of the providers can be installed
   - nothing provides librpm.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
(try to add '--skip-broken' to skip uninstallable packages)

Regards,
Vít Šesták 'v6ak'

Yes, I'm seeing the same thing. I have already notified the team directly about this.

It seems to have been fixed now. The dom0 updates have passed. The DomU Fedora updates have succeeded with updating the macros.qubes file, which is supposingly the workaround by Qubes team.

Regards,
Vít Šesták ‘v6ak’

I now realize that we neglected to state, in the QSB, what the desired result from updating Fedora-based TemplateVMs and StandaloneVMs should be. I presume this is it:

Thank you, it seems that my update is successful.

Yes this seems right (in subsequent runs, the
/usr/lib/rpm/macros.d/macros.qubes state will not have "New file"
comment, but will still have "Result: True").
Below you should also see a summary with "Failed: 0".

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Thanks, that is indeed the output I received.

However, on a few update attempts, I saw this:

       Function: cmd.script
         Result: False
        Comment: Could not create DNF metadata cache
        Started: <time>
       Duration: <duration>
        Changes:

Maybe it should be stated explicitly that Qubes update tool or qubesctl is needed and just updating manually through vm or Qube Manager is not sufficient.

Btw, the workaround can also be confirmed by updating manually through vm or Qubes Manager, dnf will then state that GPG signature check is enforced globally.