On Thu, Apr 23, 2026 at 11:35:55AM +0100, Simon McVittie wrote:
> Package: bubblewrap
> Version: 0.11.0-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: Debian Security Team <[email protected]>
>
> A significant mitigation is that Debian hasn't installed bubblewrap as
> setuid root by default since 0.4.1-3 (2021, shortly before Debian 11).
> It only needs to be setuid root if the
> /proc/sys/kernel/unprivileged_userns_clone sysctl is turned off, but
> that sysctl has been on-by-default since Debian 11.
>
> In stable, obviously we should fix the vulnerability in case someone is
> still using it as setuid. I've reported this as RC out of an abundance
> of caution, but I'm not sure whether the security team will want to do
> this as a DSA or not - thoughts?
I don't think this needs a DSA. The more you deviate from sensible
defaults, the more you need to look after your setup yourself.
Disabled unprivileged user namespaces have many legit use cases,
but certainly not for a desktop workloads.
Cheers,
Moritz
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
