Your message dated Sat, 16 May 2026 10:23:16 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1134965,
regarding trixie-pu: package bubblewrap/0.11.0-2+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134965: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134965
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:bubblewrap
User: [email protected]
Usertags: pu
[ Reason ]
Fix CVE-2026-41163, a privilege escalation vulnerability in the
deprecated configuration where /usr/bin/bwrap is setuid root
[ Impact ]
If the local sysadmin has manually set /usr/bin/bwrap to be setuid root
(normally via dpkg-statoverride), a malicious local user could use it to
mount overlayfs filesystems in their containers' filesystems, and
perhaps make use of that ability to carry out other attacks.
In practice a sysadmin would likely only do this if they have configured
their kernel to reject attempts to create user namespaces in
unprivileged processes (like the Debian 10 kernel did). Many Flatpak
apps will already not work as intended in this setup, because they
require features that bubblewrap only exposes when it is unprivileged.
[ Tests ]
The proposed bubblewrap can still run Flatpak apps on a Debian 13 GNOME
desktop (tried Discord in the normal configuration where bubblewrap is
unprivileged, and GNOME Nibbles in the deprecated configuration where
bwrap is setuid root).
[ Risks ]
A straightforward backport from bubblewrap 0.11.2-1 in unstable, which
is not yet in testing but should get there next week.
In particular I decided to leave the setuid-root configuration as still
possible in Debian 13, to minimize regression risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All changes are part of fixing CVE-2026-41163. Strictly speaking the
second patch
debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch
is only hardening rather than being strictly required (those checks
should never fail if the first patch has worked as intended), but it's
rather simple.
[ Other info ]
The security team declined to do a DSA for this, on the basis that the
deprecated configuration no longer makes sense for desktop workloads
in Debian >= 11, and users of a non-default security posture are
responsible for the consequences of their choices.
After bubblewrap 0.11.2-1 has migrated to testing, I intend to swap the
value of its new -Dsupport_setuid option so that /usr/bin/bwrap will
refuse to run if it detects setuid (or more precisely, euid != uid).
Similarly, upstream plans to remove that option in 0.12.0 so that newer
bwrap releases will unconditionally refuse to run setuid.
As a result, the deprecated setup will likely no longer be possible in
Debian 14, preventing vulnerabilities like this one.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
