On Thu, 23 Apr 2026 at 21:18:57 +0000, Moritz Mühlenhoff wrote:
I don't think [CVE-2026-41163] needs a DSA. The more you deviate from sensible
defaults, the more you need to look after your setup yourself.
Thanks, I've proposed this as a trixie update instead.
For security-tracker purposes, I think bullseye/bookworm can be marked
as unaffected by this. These versions were too old to have the --overlay
feature, so the only thing an attacker would have been able to do via
ptrace that they couldn't already do via the command-line would be to
make the privileged helper process call strlen(NULL) and crash itself,
by tracing the main bubblewrap process and making it send an invalid
PRIV_SEP_OP_SET_HOSTNAME request to the privileged process. That doesn't
seem like a security problem.
smcv
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
