Are kernels being updated for Dirty Pipe Vulnerability?

Hi, I know qubes OS runs w/o root password, but what about the templates for like Debian/Ubuntu and more, is the update of the Kernel of the template to a non-vulnerable version being considered?

Apologies for any ignorance that might transpire from my question.

I tested the other day and they were still vulnerable but this kind of vulnerability is useless in Qubes. Actually, qubes assumes these vulnerabilities will exist. For example in app qubes you can just become superuser just with sudo -i and no password at all. This is basically what that exploit achieves… nothing.

Updated kernels are in the security-testing repository (qubes-secpack/qsb-078-2022.txt at master · QubesOS/qubes-secpack · GitHub) which would also have fixed Dirty Pipe.
Kernels 5.16.11, 5.15.25, 5.10.102 have it fixed according to reports. Qubes also uses 4.19.x and 5.4.x branch, not sure with what minor version those are fixed, but for 5.10.x and 5.16.x the QSB reports a higher version.

EDIT: Apparently kernels below 5.8 are not affected.

Though as mentioned by deeplow, not really an issue in Qubes OS.

1 Like