Fixing Dirty Pipe: Samsung rolls out Google code faster than Google
Enlarge / The Pixel 6 Pro. (credit: Ron Amadeo)
Dirty Pipe is one of the most severe vulnerabilities to hit the Linux kernel in several years. The bug lets an unprivileged user overwrite data that is supposed to be read-only, an action that can lead to privilege escalation. The bug was nailed down on February 19, and for Linux flavors like Unbuntu, a patch was written and rolled out to end users in about 17 days. Android is based on Linux, so Google and Android manufacturers need to fix the bug, too.
It has been a full month since the Linux desktop rollout, so how is Android doing?
According to the timeline given by Max Kellermann, the researcher who discovered the vulnerability, Google fixed Dirty Pipe in the Android codebase on February 23. But the Android ecosystem is notoriously bad at actually delivering updated code to users. In some sense, Android's slowness has helped with this vulnerability. The bug was introduced in Linux 5.8, which was released in August 2020. So why didn't the bug spread far and wide across the Android ecosystem over the last two years?
Read 7 remaining paragraphs | Comments