Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1291225

Bug#1134965: trixie-pu: package bubblewrap/0.11.0-2+deb13u1

Cross-posted to 2 groups.

Show all headers | View raw

Hi Simon,

On Sun, Apr 26, 2026 at 02:33:35PM +0100, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> Tags: trixie
> X-Debbugs-Cc: bubblewrap@packages.debian.org
> Control: affects -1 + src:bubblewrap
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> [ Reason ]
> 
> Fix CVE-2026-41163, a privilege escalation vulnerability in the 
> deprecated configuration where /usr/bin/bwrap is setuid root
> 
> [ Impact ]
> 
> If the local sysadmin has manually set /usr/bin/bwrap to be setuid root 
> (normally via dpkg-statoverride), a malicious local user could use it to 
> mount overlayfs filesystems in their containers' filesystems, and 
> perhaps make use of that ability to carry out other attacks.
> 
> In practice a sysadmin would likely only do this if they have configured 
> their kernel to reject attempts to create user namespaces in 
> unprivileged processes (like the Debian 10 kernel did). Many Flatpak 
> apps will already not work as intended in this setup, because they 
> require features that bubblewrap only exposes when it is unprivileged.
> 
> [ Tests ]
> 
> The proposed bubblewrap can still run Flatpak apps on a Debian 13 GNOME 
> desktop (tried Discord in the normal configuration where bubblewrap is 
> unprivileged, and GNOME Nibbles in the deprecated configuration where 
> bwrap is setuid root).
> 
> [ Risks ]
> 
> A straightforward backport from bubblewrap 0.11.2-1 in unstable, which 
> is not yet in testing but should get there next week.
> 
> In particular I decided to leave the setuid-root configuration as still 
> possible in Debian 13, to minimize regression risk.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> 
> All changes are part of fixing CVE-2026-41163. Strictly speaking the 
> second patch 
> debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch 
> is only hardening rather than being strictly required (those checks 
> should never fail if the first patch has worked as intended), but it's 
> rather simple.
> 
> [ Other info ]
> 
> The security team declined to do a DSA for this, on the basis that the 
> deprecated configuration no longer makes sense for desktop workloads 
> in Debian >= 11, and users of a non-default security posture are 
> responsible for the consequences of their choices.
> 
> After bubblewrap 0.11.2-1 has migrated to testing, I intend to swap the 
> value of its new -Dsupport_setuid option so that /usr/bin/bwrap will 
> refuse to run if it detects setuid (or more precisely, euid != uid). 
> Similarly, upstream plans to remove that option in 0.12.0 so that newer 
> bwrap releases will unconditionally refuse to run setuid.
> 
> As a result, the deprecated setup will likely no longer be possible in 
> Debian 14, preventing vulnerabilities like this one.

A formal comment only, it looks the debdiff is missing here, can you
attach it?

Regards,
Salvatore

Back to linux.debian.bugs.dist | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

Bug#1134965: trixie-pu: package bubblewrap/0.11.0-2+deb13u1 Simon McVittie <smcv@debian.org> - 2026-04-26 15:40 +0200
  Bug#1134965: trixie-pu: package bubblewrap/0.11.0-2+deb13u1 Salvatore Bonaccorso <carnil@debian.org> - 2026-04-27 21:10 +0200
    Bug#1134965: trixie-pu: package bubblewrap/0.11.0-2+deb13u1 Simon McVittie <smcv@debian.org> - 2026-04-27 23:50 +0200
  Bug#1134965: bubblewrap 0.11.0-2+deb13u1 flagged for acceptance Adam D Barratt <adam@adam-barratt.org.uk> - 2026-04-30 21:50 +0200

csiph-web