Linux Dirty Pipe and Spectre-BHB BHI vulnerabilities

TL;DR: Looks like it would be wise to update to a kernel in the 5.17 series, or a confirmed patched backport or security update as soon as your distro has it available …

2 Likes

Apparently the vulnerability began with kernel 5.8. Unfortunately, as the Framework is a fairly new device, most of its support is under kernels after 5.8.

For those wanting to check their kernel version there is uname -r:

$ uname -r

$ cat /etc/lsb-release

Personally, I still have not committed to Windows 11 on the Framework. Reports are that “Dirty Pipe” is not remotely exploitable, and so the risk should be relatively low if one is not downloading files from sketchy sources and installing software or otherwise executing those files. Which means that people will probably be joking that the code was introduced by a Microsoft developer…

2 Likes

What makes you say specifically 5.17? Mostly asking since what I’ve heard so far + your source state that 5.16.11 upwards should all be good (which is e.g. relevant for Arch users as their kernel is likely already at 5.16.13).

Edit: Nevermind, should’ve read the second source. Everything north of 5.16.11 saves you from Dirty Pipe, 5.17.0 and upwards will contain mitigations for Spectre-BHB

There are also backports to older kernels, except for 5.8. For instance here is the Ubuntu page for the Dirty Pipe vulnerability:

2 Likes

Exactly. Stay on a supported LTS and keep it updated. Canonical will push the patches needed. Live the boring life without risk of regressions.

2 Likes

Edited first post to include reference to back ports and patched lts kernels. I forget not everybody dances on the bleeding edge like us arch folks lol.

I’m on openSUSE Tumbleweed - no boring live for me. :smiley:

1 Like