Your message dated Thu, 23 Apr 2026 12:51:58 +0000
with message-id <[email protected]>
and subject line Bug#1134704: fixed in bubblewrap 0.11.2-1
has caused the Debian Bug report #1134704,
regarding bubblewrap: CVE-2026-41163: Privilege escalation if setuid root, via
ptrace
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134704: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134704
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bubblewrap
Version: 0.11.0-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
bubblewrap >= 0.11.0 has a security vulnerability **if** installed
setuid root:
>If bubblewrap is installed in setuid mode then the user can use ptrace
>to attach to bubblewrap and control the unprivileged part of the sandbox
>setup phase. This allows it the attacker to arbitrarily use the
>privileged operations, and in particular the "overlay mount" operation,
>allowing the creation of overlay mounts which is otherwise not allowed
>in the setuid version of bubblewrap.
A significant mitigation is that Debian hasn't installed bubblewrap as
setuid root by default since 0.4.1-3 (2021, shortly before Debian 11).
It only needs to be setuid root if the
/proc/sys/kernel/unprivileged_userns_clone sysctl is turned off, but
that sysctl has been on-by-default since Debian 11.
In stable, obviously we should fix the vulnerability in case someone is
still using it as setuid. I've reported this as RC out of an abundance
of caution, but I'm not sure whether the security team will want to do
this as a DSA or not - thoughts?
Upstream have now deprecated the ability to install bubblewrap as setuid
root. In the 0.11.2 upstream release that fixes the vulnerability,
there's a new compile-time option for whether to support setuid (off by
default), and if it's disabled, bubblewrap will just refuse to run if it
detects that it has been made setuid (real uid != effective uid). Future
upstream releases are expected to remove the option, and make it
unconditionally refuse to run setuid.
My intention is to make it refuse to be setuid in testing/unstable
(probably one more upload with setuid-root discouraged but possible, and
then the next upload after that will disable it altogether) but I think
that's probably too much of a regression risk for stable.
smcv
--- End Message ---
--- Begin Message ---
Source: bubblewrap
Source-Version: 0.11.2-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
bubblewrap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated bubblewrap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Apr 2026 12:25:34 +0100
Source: bubblewrap
Architecture: source
Version: 0.11.2-1
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1134704
Changes:
bubblewrap (0.11.2-1) unstable; urgency=medium
.
* New upstream release
- Fixes a root privilege escalation vulnerability if bwrap has been
made setuid root locally (CVE-2026-41163, Closes: #1134704).
Most Debian systems have a non-setuid bubblewrap and therefore
are unaffected by this.
* d/rules: Temporarily allow bubblewrap to be setuid root.
This configuration is a security risk and rarely necessary, so the
option is deprecated, and a future upstream version will
unconditionally refuse to run if it detects that it has been run
setuid root.
* d/README.Debian: Update to reflect deprecation of setuid-root bwrap
* d/NEWS: Mention deprecation of setuid-root mode
Checksums-Sha1:
fbc9e7a54ab37f026b282ab29559f222020f7acc 2427 bubblewrap_0.11.2-1.dsc
ac91654c2d5563cb512f5f4f2963664e31d82d26 116336 bubblewrap_0.11.2.orig.tar.xz
2439262de549a5da4c584ed8320ceabd018b2250 13004
bubblewrap_0.11.2-1.debian.tar.xz
de325b1460f4b143fa6418207022fa737ca29b8c 7300
bubblewrap_0.11.2-1_source.buildinfo
Checksums-Sha256:
ffa604cd84eb4bd47e17c6369ca473816c5aab7f838f22b8fc5997ba780f7a4b 2427
bubblewrap_0.11.2-1.dsc
69abc30005d2186baf7737feacd8da35633b93cf5af38838ecff17c5f8e924f6 116336
bubblewrap_0.11.2.orig.tar.xz
ae5a41479277ebf5c893a75dfae9334aa57eba80cfc6aa21dfcd0981c70310ff 13004
bubblewrap_0.11.2-1.debian.tar.xz
98be11bbcfd30fb0a6333940510ea76fc186d9a39f49fce1dfacc22fdd6a464a 7300
bubblewrap_0.11.2-1_source.buildinfo
Files:
3b37d9616a9b1bf83acfafcd6820277b 2427 admin optional bubblewrap_0.11.2-1.dsc
6376255e2e505100e01b20c2dafa7faf 116336 admin optional
bubblewrap_0.11.2.orig.tar.xz
cc43a86a8cf7f466622bf22260f3469e 13004 admin optional
bubblewrap_0.11.2-1.debian.tar.xz
483dd999e248743b2c5c9b9d38ff4dd9 7300 admin optional
bubblewrap_0.11.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnqBVgACgkQI1wJnT6z
MHanJA/9GTh/l+UI3FSd40tdAlFsz2ttCgE8NTwT5qDPeH8rtIuU95ER/NBNu42b
trpRo0aPis1W7aT5a81zpMU+lOZUt/35LUKyOmms2pDMlIPGPa6fg/+z/+ZFxYw3
YaupR7bu/NGgxDqvwQffZte9JLZ6mrngpIEOxUpZtLQGrbTT39HjDQLzJ1oe/L/T
u/kYzjS/PQJeR7Zbkt1YopkUBYf0KMejTSDA5ywYIZU6zCqOWakaeUN4TnX+HRjd
YR+47sELGKDkxJeRAPGzE014o3f86CSvoeq8jFTHXIx4cF1iRYRIGmSXGr8NjdgL
KKXifGLZAuPWE9U7iLIvT5hK1DQgD1rGPB4gb/5M+C7HTTtysINWX33Podrnlv4N
3pbRoaQqqI25zX5mShtODzPTBxnhrsusOn3I6hXNUotYIvrrt2FqnMle8nKN+vle
mtsnuQS9MYIs9ydiNBKlzt6s6dNOpvlfin6dYyx/wvx608F5wIj7/NLn+OZmmlkr
rTqIkV8kg7vkkUM8PaK/DbeO6Vi4sjR+gXaSYGnV2V5okbeDkdVuDWiTHbn+ZNo6
prIgVfg5px4dFYWIFn2PZL20yk3G5b1mX1nK0JiZCYFqWYUcq6abgpjU2xbkhJWt
pBaFl+HHjVIzXCnX+DQjmKPofbcgtqB+dDP+GkuQuKq2y4/sdWw=
=pwqS
-----END PGP SIGNATURE-----
pgp37KRjW1l3f.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
