Path: csiph.com!weretis.net!feeder8.news.weretis.net!news.usenet.ovh!news.corradoroberto.it!bofh.it!news.nic.it!robomod From: Salvatore Bonaccorso Newsgroups: linux.debian.bugs.dist,linux.debian.devel.release Subject: Bug#1134965: trixie-pu: package bubblewrap/0.11.0-2+deb13u1 Date: Mon, 27 Apr 2026 21:10:01 +0200 Message-ID: References: X-Original-To: Simon McVittie , 1134965@bugs.debian.org X-Mailbox-Line: From debian-bugs-dist-request@lists.debian.org Mon Apr 27 19:01:07 2026 Old-Return-Path: X-Spam-Flag: NO X-Spam-Score: -1.699 Reply-To: Salvatore Bonaccorso , 1134965@bugs.debian.org Resent-To: debian-bugs-dist@lists.debian.org Resent-Cc: debian-release@lists.debian.org X-Debian-Pr-Message: followup 1134965 X-Debian-Pr-Package: release.debian.org X-Debian-Pr-Keywords: trixie MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Debian-User: carnil X-Debian-Message: from BTS X-Mailing-List: archive/latest/1966437 List-ID: List-URL: Approved: robomod@news.nic.it Lines: 80 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Mon, 27 Apr 2026 20:58:50 +0200 X-Original-Message-ID: X-Original-References: Xref: csiph.com linux.debian.bugs.dist:1291225 linux.debian.devel.release:141500 Hi Simon, On Sun, Apr 26, 2026 at 02:33:35PM +0100, Simon McVittie wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: bubblewrap@packages.debian.org > Control: affects -1 + src:bubblewrap > User: release.debian.org@packages.debian.org > Usertags: pu > > [ Reason ] > > Fix CVE-2026-41163, a privilege escalation vulnerability in the > deprecated configuration where /usr/bin/bwrap is setuid root > > [ Impact ] > > If the local sysadmin has manually set /usr/bin/bwrap to be setuid root > (normally via dpkg-statoverride), a malicious local user could use it to > mount overlayfs filesystems in their containers' filesystems, and > perhaps make use of that ability to carry out other attacks. > > In practice a sysadmin would likely only do this if they have configured > their kernel to reject attempts to create user namespaces in > unprivileged processes (like the Debian 10 kernel did). Many Flatpak > apps will already not work as intended in this setup, because they > require features that bubblewrap only exposes when it is unprivileged. > > [ Tests ] > > The proposed bubblewrap can still run Flatpak apps on a Debian 13 GNOME > desktop (tried Discord in the normal configuration where bubblewrap is > unprivileged, and GNOME Nibbles in the deprecated configuration where > bwrap is setuid root). > > [ Risks ] > > A straightforward backport from bubblewrap 0.11.2-1 in unstable, which > is not yet in testing but should get there next week. > > In particular I decided to leave the setuid-root configuration as still > possible in Debian 13, to minimize regression risk. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > All changes are part of fixing CVE-2026-41163. Strictly speaking the > second patch > debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch > is only hardening rather than being strictly required (those checks > should never fail if the first patch has worked as intended), but it's > rather simple. > > [ Other info ] > > The security team declined to do a DSA for this, on the basis that the > deprecated configuration no longer makes sense for desktop workloads > in Debian >= 11, and users of a non-default security posture are > responsible for the consequences of their choices. > > After bubblewrap 0.11.2-1 has migrated to testing, I intend to swap the > value of its new -Dsupport_setuid option so that /usr/bin/bwrap will > refuse to run if it detects setuid (or more precisely, euid != uid). > Similarly, upstream plans to remove that option in 0.12.0 so that newer > bwrap releases will unconditionally refuse to run setuid. > > As a result, the deprecated setup will likely no longer be possible in > Debian 14, preventing vulnerabilities like this one. A formal comment only, it looks the debdiff is missing here, can you attach it? Regards, Salvatore