Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:bubblewrap User: [email protected] Usertags: pu
[ Reason ] Fix CVE-2026-41163, a privilege escalation vulnerability in the deprecated configuration where /usr/bin/bwrap is setuid root [ Impact ] If the local sysadmin has manually set /usr/bin/bwrap to be setuid root (normally via dpkg-statoverride), a malicious local user could use it to mount overlayfs filesystems in their containers' filesystems, and perhaps make use of that ability to carry out other attacks. In practice a sysadmin would likely only do this if they have configured their kernel to reject attempts to create user namespaces in unprivileged processes (like the Debian 10 kernel did). Many Flatpak apps will already not work as intended in this setup, because they require features that bubblewrap only exposes when it is unprivileged. [ Tests ] The proposed bubblewrap can still run Flatpak apps on a Debian 13 GNOME desktop (tried Discord in the normal configuration where bubblewrap is unprivileged, and GNOME Nibbles in the deprecated configuration where bwrap is setuid root). [ Risks ] A straightforward backport from bubblewrap 0.11.2-1 in unstable, which is not yet in testing but should get there next week. In particular I decided to leave the setuid-root configuration as still possible in Debian 13, to minimize regression risk. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] All changes are part of fixing CVE-2026-41163. Strictly speaking the second patch debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch is only hardening rather than being strictly required (those checks should never fail if the first patch has worked as intended), but it's rather simple. [ Other info ] The security team declined to do a DSA for this, on the basis that the deprecated configuration no longer makes sense for desktop workloads in Debian >= 11, and users of a non-default security posture are responsible for the consequences of their choices. After bubblewrap 0.11.2-1 has migrated to testing, I intend to swap the value of its new -Dsupport_setuid option so that /usr/bin/bwrap will refuse to run if it detects setuid (or more precisely, euid != uid). Similarly, upstream plans to remove that option in 0.12.0 so that newer bwrap releases will unconditionally refuse to run setuid. As a result, the deprecated setup will likely no longer be possible in Debian 14, preventing vulnerabilities like this one. _______________________________________________ Pkg-utopia-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
