We have just published Qubes Security Bulletin (QSB) 073: Race condition when setting override-redirect flag. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-073 in the qubes-secpack:
In addition, you may wish to:
- Get the qubes-secpack: https://www.qubes-os.org/security/pack/
- View all past QSBs: https://www.qubes-os.org/security/qsb/
- View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 073 ]===--- 2021-10-15 Race condition when setting override-redirect flag User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0, in dom0: - qubes-gui-dom0 version 4.0.17 For Qubes 4.1, in dom0 and the template(s) of any GUI qube(s) : - qubes-gui-daemon version 4.1.18 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents.  The user session must be restarted afterward in order for the updates to take effect, e.g., by logging out then logging back in. Summary -------- An override-redirect flag in the X11 protocol tells the window manager not to manage a particular window. Windows with such flags do not get their frames or title bars from the window manger, nor does the window manager determine their positions. This feature is used for application menus, tooltips, and similar accessory windows. Unfortunately, some window managers get confused if the override-redirect flag is set shortly before making the window visible. When that happens, the window manager may try to move or resize the window without respecting any size and position constraints imposed by the GUI daemon. Normally, every window move and resize action requested by the VM is validated by the GUI daemon. However, if the action is initiated by the window manager, it doesn't require the GUI daemon's validation. Impact ------- A malicious application may try to hide its unspoofable colored frame off-screen. Hiding all four sides is prevented by another constraint (forbidding a override-redirect window from covering more than 90% of the screen), but hiding some sides is possible. The issue is known to affect XFCE and KDE. Other desktop environments may also be affected. Discussion ----------- This is yet another corner case in handling the override-redirect flag. In the long term, we will try to eliminate use of this flag completely. As an immediate fix, we are adding additional validation of constraints placed on windows with the override-redirect flag. This validation is done whenever a window is moved or resized, regardless of what initiated the action. If an illegal size or position is detected, the GUI daemon will try to resize or move the window back to a legal size and position. While this is a reactive solution (in the sense that it allows windows to enter illegal states before correcting them), it will cover several more cases, including the case in which another application resizes a window behind the GUI daemon's back (which is the case being reported in this QSB). Moreover, this solution serves as an additional safety check in case the GUI daemon itself misses any other edge cases. Credits -------- This issue was discovered by Demi Marie Obenour. Notes ------  In Qubes 4.1, certain GUI functions historically served by dom0 can be delegated to separate template-based "GUI qubes." A single Qubes 4.1 system can have multiple GUI qubes.  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/how-to-update/ -- The Qubes Security Team https://www.qubes-os.org/security/