On Tue, Apr 28, 2026 at 11:59:56AM +0100, Simon McVittie wrote:
> On Thu, 23 Apr 2026 at 21:18:57 +0000, Moritz Mühlenhoff wrote:
> > I don't think [CVE-2026-41163] needs a DSA. The more you deviate from
> > sensible
> > defaults, the more you need to look after your setup yourself.
>
> Thanks, I've proposed this as a trixie update instead.
>
> For security-tracker purposes, I think bullseye/bookworm can be marked
> as unaffected by this. These versions were too old to have the --overlay
> feature, so the only thing an attacker would have been able to do via
> ptrace that they couldn't already do via the command-line would be to
> make the privileged helper process call strlen(NULL) and crash itself,
> by tracing the main bubblewrap process and making it send an invalid
> PRIV_SEP_OP_SET_HOSTNAME request to the privileged process. That doesn't
> seem like a security problem.
Thanks, I've updated the Security Tracker.
Cheers,
Moritz
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
