Enlarge / The Pixel 6 Pro. (credit: Ron Amadeo)
Dirty Pipe is one of the most severe vulnerabilities in order to hit the Linux kernel in several years. The bug lets an unprivileged user overwrite data that is supposed to be read-only, an action that can lead to privilege escalation. The bug was nailed down on February 19, and for Linux flavors like Unbuntu, a patch was written and rolled out to be able to end users in about 17 days. Android is based on Linux, so Google and Android OEMs need to fix the bug, too.
It has been a full month since the particular Linux desktop rollout, so how is Android doing?
According to the timeline given by Max Kellermann, the researcher who discovered the vulnerability, Google fixed Dirty Pipe in typically the Android codebase on February 23. But the Android ecosystem is notoriously bad at actually delivering updated code to users. In some sense, Android’s slowness has helped with this vulnerability. The bug was introduced in Linux 5. 8, which was released in August 2020. So why didn’t this bug spread far and wide across the Android ecosystem over the last two years?
Read 7 remaining paragraphs | Comments
