Your message dated Thu, 30 Apr 2026 19:47:06 +0000
with message-id <[email protected]>
and subject line Bug#1134704: fixed in bubblewrap 0.11.0-2+deb13u1
has caused the Debian Bug report #1134704,
regarding bubblewrap: CVE-2026-41163: Privilege escalation if setuid root, via
ptrace
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134704: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134704
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bubblewrap
Version: 0.11.0-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
bubblewrap >= 0.11.0 has a security vulnerability **if** installed
setuid root:
>If bubblewrap is installed in setuid mode then the user can use ptrace
>to attach to bubblewrap and control the unprivileged part of the sandbox
>setup phase. This allows it the attacker to arbitrarily use the
>privileged operations, and in particular the "overlay mount" operation,
>allowing the creation of overlay mounts which is otherwise not allowed
>in the setuid version of bubblewrap.
A significant mitigation is that Debian hasn't installed bubblewrap as
setuid root by default since 0.4.1-3 (2021, shortly before Debian 11).
It only needs to be setuid root if the
/proc/sys/kernel/unprivileged_userns_clone sysctl is turned off, but
that sysctl has been on-by-default since Debian 11.
In stable, obviously we should fix the vulnerability in case someone is
still using it as setuid. I've reported this as RC out of an abundance
of caution, but I'm not sure whether the security team will want to do
this as a DSA or not - thoughts?
Upstream have now deprecated the ability to install bubblewrap as setuid
root. In the 0.11.2 upstream release that fixes the vulnerability,
there's a new compile-time option for whether to support setuid (off by
default), and if it's disabled, bubblewrap will just refuse to run if it
detects that it has been made setuid (real uid != effective uid). Future
upstream releases are expected to remove the option, and make it
unconditionally refuse to run setuid.
My intention is to make it refuse to be setuid in testing/unstable
(probably one more upload with setuid-root discouraged but possible, and
then the next upload after that will disable it altogether) but I think
that's probably too much of a regression risk for stable.
smcv
--- End Message ---
--- Begin Message ---
Source: bubblewrap
Source-Version: 0.11.0-2+deb13u1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
bubblewrap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated bubblewrap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 26 Apr 2026 14:05:43 +0100
Source: bubblewrap
Architecture: source
Version: 0.11.0-2+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1134704
Changes:
bubblewrap (0.11.0-2+deb13u1) trixie; urgency=medium
.
* d/control, d/gbp.conf: Branch for Debian 13 stable updates
* d/patches: Fix privilege escalation if bubblewrap is setuid root.
/usr/bin/bwrap has not been installed setuid-root by default since
Debian 11, but if it was made setuid via a dpkg-statoverride set up
by the local sysadmin (most likely in conjunction with turning off
the ability for unprivileged users to create new user namespaces),
then the version included in Debian 13.4 would be vulnerable.
(CVE-2026-41163, Closes: #1134704)
Note that the ability to install bubblewrap setuid-root has been
deprecated upstream, and the version included in Debian 14 will
refuse to run if it is setuid.
Checksums-Sha1:
2f2dca80192f1538468af06059fade7692f55b85 2742 bubblewrap_0.11.0-2+deb13u1.dsc
0a67899ee6142ea5db6eade50e635c55489793ae 14468
bubblewrap_0.11.0-2+deb13u1.debian.tar.xz
8eb2ea75172230ae0e3bbed1d88e4e9f700be0fe 7427
bubblewrap_0.11.0-2+deb13u1_source.buildinfo
Checksums-Sha256:
556589d3abf471da3275635ed986689edb1f997648d0ceaa27625623e8241e00 2742
bubblewrap_0.11.0-2+deb13u1.dsc
29019acc1d4ed84f1abed2b8a986c9c17010296a6becf4f450d953e527aeda01 14468
bubblewrap_0.11.0-2+deb13u1.debian.tar.xz
3e04c13ba779e017384425d089b59da60cccc47742c89f61674f03e21fb18a84 7427
bubblewrap_0.11.0-2+deb13u1_source.buildinfo
Files:
ad1415b860142e4e8a7f3f358621feba 2742 admin optional
bubblewrap_0.11.0-2+deb13u1.dsc
8cf97a652708913d8157003899f2ee1b 14468 admin optional
bubblewrap_0.11.0-2+deb13u1.debian.tar.xz
215105573fa76776cc6b95406536447a 7427 admin optional
bubblewrap_0.11.0-2+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnuFHwACgkQI1wJnT6z
MHZU7RAAjl9xZ5JwKyDhr21JV6i/Nsu3ECJgTygrECX51HM+8RcF2tocbgxJNCDa
YofeDQ2/1x6/D75S95LgfIHGYWkTgKbByWXiRjk9KYE+yye/J27xF8UZbE19vzw9
cX4HeoPJxKPjupr9Fhrfup3ZskU4Aa756isV/AA5rOosyefCmVhkh2/1dgwDYKiR
AM58EI5D0lReJNdwRsOBiHfGYFjFAWp/I1rplAi+bCeedIsAQrNerpWk+oEPl4JI
zSmb7loJXUCjhWx05xEU0LlLJqgrbfR7S9RmPzdoPCm/gjFSE+r59+ZDR/e+4hAZ
Pm+Dlqh8iSrzodsUDNxi6992CIOJw+R5k1D5AvyM90n4OWCMEFgBSVzWqztivp75
wN1y7/uZFAlohvVKU+IVi5O0IMVJPqhi9lxIEg6fQ6p4TDpiUiqkCQs1N5T1ZbMb
mfQWgVTeUffDRz90PzPD0SJvWt3BDQM9GbzaGC9tugmsDr+NhgfRk5+X871eWzu+
wIBMD1Rjy3oUpDwi7EL0bgdwFPyecijQ3PKVB/HFxOHFAAqNWBovJGHy9A3oxZCn
ZOzqMJjzsMRWvyK2KIlA8acMR+kkYT3C70IPZpmaAepowgCLG6BlDCXM/eoYl+eE
6PIcILGSkYPH/sIVYkwHC9OmqFLdbaJsbeJKrXjAKqqkaJFnDRs=
=tuF4
-----END PGP SIGNATURE-----
pgpqob6jedtSC.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
