Qubes and DOM0 being Fedora 25?

Question

Is it safe to run an unmaintained version of Fedora in dom0? Fedora 25 went EOL on December 12th, 2017. Qubes is currently based on Fedora 25. From the Qubes FAQ,

Dom0 is isolated from domUs. DomUs can access only a few interfaces, such as Xen, device backends (in the dom0 kernel and in other VMs, such as the NetVM), and Qubes tools (gui-daemon, qrexec-daemon, etc.). These components are security-critical, and we provide updates for all of them (when necessary), regardless of the support status of the base distribution. For this reason, we consider it safe to continue using a given base distribution in dom0 even after it has reached EOL (end-of-life).

It seems like the Qubes team is essentially saying that they're maintaining the Kernel and Xen from the Fedora 25 branch themselves. Looking at some of the Qubes Security Bulletins I found this one, Fedora os-prober considered harmful. The solution there was to remove that package from dom0. How many other packages are in dom0? It seems like the average install of Qubes includes running a window manager in dom0. If so, does Qubes repackage KDE/Xfce and the like or do they use the EOL'd stuff in FC25?

Answer 1

Dom0 has been designed in such way that it is (or should be) impossible to have any Internet connection other than when downloading updates for various dom0 elements (kernel updates, template VMs to name a few) only through the updates VM, it's usually the Net-VM or some other VM that is using the Net-VM for network access.

Considering that the update repos are not compromised, the only way Dom0 and essentially Qubes could get owned is by installing any third party software on it. *

So any bugs on potentially outdated software on Dom0, like the Xfce or KDE Plasma are irrelevant to a machine that has no network connection and uses only software trusted by the Qubes Team.

*I should note that I was referring to potential compromise through action directly from Dom0. If you're wondering about privilege escalation from another VM to Dom0 you're probably looking at GUI agent exploits.

For example, one of the core files of qubes-gui-daemon is programmed to prompt the user whenever a VM attempts to pass an invalid/very large value to a specific window size, marking the behaviour as suspicious and as an attempt compromise Dom0 (line 156).