The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
dirtypipe.cm4all.com
  • Arthur Besse@lemmy.mlM
    2·
    3 years ago

    This is a great writeup, but I’m not thrilled with the disclosure timeline.

    Why did the author notify Google prior to submitting the patch to LKML, but then wait another whole week after that before notifying any other Linux distributors? (The LKML post doesn’t say that the bug it fixed is an exploitable vulnerability, but after the fix was public there was a much higher chance that attackers could realize that it is.)

    Also, did any distros ship updates on March 7 when the vulnerability became fully public? Given that they were notified on February 28, it seems like they should have, but none of the ones I’ve checked did. (And while some have now, many still haven’t!)

    • Thann@lemmy.ml
      4·
      3 years ago

      disclosure timeline

      • 2021-04-29: first support ticket about file corruption
      • 2022-02-19: file corruption problem identified as Linux kernel bug, which turned out to be an exploitable vulnerability
      • 2022-02-20: bug report, exploit and patch sent to the Linux kernel security team
      • 2022-02-21: bug reproduced on Google Pixel 6; bug report sent to the Android Security Team
      • 2022-02-21: patch sent to LKML (without vulnerability details) as suggested by Linus Torvalds, Willy Tarreau and Al Viro
      • 2022-02-23: Linux stable releases with my bug fix (5.16.11, 5.15.25, 5.10.102)
      • 2022-02-24: Google merges my bug fix into the Android kernel
      • 2022-02-28: notified the linux-distros mailing list
      • 2022-03-07: public disclosure