Your message dated Tue, 16 Jun 2026 09:35:08 +0000
with message-id <[email protected]>
and subject line Bug#1140128: fixed in rust-wasmtime 36.0.11+dfsg-1
has caused the Debian Bug report #1140128,
regarding rust-wasmtime: CVE-2026-47261
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140128: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140128
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-wasmtime
Version: 36.0.9+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-wasmtime.
CVE-2026-47261[0]:
| Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9,
| 36.0.10, and 44.0.2, when a filesystem preopen is given
| DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this
| access control mechanism can be bypassed via the wasip2
| descriptor.open-at or wasip1 path_open interfaces by opening a file
| with only the OpenFlags::TRUNCATE oflag. The root cause is that the
| clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs
| (Dir::open_at, lines 967–969) did not set open_mode |=
| OpenMode::WRITE;, which is later used for the access control check
| against FilePerms to determine whether opening the file is
| permitted; the single-line fix adds that missing assignment, after
| which the affected calls correctly fail with error-code.not-
| permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings
| that combine DirPerms::MUTATE with FilePerms::READ are affected by
| this bug. In particular, the Wasmtime project's wasmtime-cli's use
| of wasmtime-wasi is not affected, because it always sets
| FilePerms::all() for all preopens. This issue has been fixed in
| versions 24.0.9, 36.0.10 and44.0.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-47261
https://www.cve.org/CVERecord?id=CVE-2026-47261
[1]
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-wasmtime
Source-Version: 36.0.11+dfsg-1
Done: Jonas Smedegaard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-wasmtime, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[email protected]> (supplier of updated rust-wasmtime package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Jun 2026 10:50:17 +0200
Source: rust-wasmtime
Architecture: source
Version: 36.0.11+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <[email protected]>
Changed-By: Jonas Smedegaard <[email protected]>
Closes: 1140128
Changes:
rust-wasmtime (36.0.11+dfsg-1) unstable; urgency=high
.
[ upstream ]
* new release;
CVE-2026-47261;
closes: bug#1140128, thanks to Salvatore Bonaccorso
.
[ Jonas Smedegaard ]
* update watch file: use Custom-Version
* unfuzz patches
* reorganize patch naming and numbering
* bump project versions in virtual packages and autopkgtests
* use debhelper compatibility level 14 (not 13)
* set severity=high due to security bugfixes
Checksums-Sha1:
c26f217d9f0013705af86bb0010234134689ad6d 6780 rust-wasmtime_36.0.11+dfsg-1.dsc
d270c905361e276aca23a8e10ef88fdb43488193 4812308
rust-wasmtime_36.0.11+dfsg.orig.tar.xz
5935c66a7c9045b7becd061824ef50bc1855f213 26100
rust-wasmtime_36.0.11+dfsg-1.debian.tar.xz
c7b753b047b156ff845772658078556d01b51c38 25913
rust-wasmtime_36.0.11+dfsg-1_amd64.buildinfo
Checksums-Sha256:
7461cb49fd846f24aa5d51b6e26f0d0e4251251686b5cbff824a75374be9850b 6780
rust-wasmtime_36.0.11+dfsg-1.dsc
9b0d398722f8463269a186dea210e6e69b339ccbdaf1d72a67f418452d932416 4812308
rust-wasmtime_36.0.11+dfsg.orig.tar.xz
0ef2220b48a242b4d29596dec6d9cac41698df48b6d26048319f0c97fcd5a499 26100
rust-wasmtime_36.0.11+dfsg-1.debian.tar.xz
98d9742c1812df6a337dc276ba3f1b761d1215a0a2d0b8a8f0640d9da7f6cb7e 25913
rust-wasmtime_36.0.11+dfsg-1_amd64.buildinfo
Files:
6b21090abe6b38063cc420dbedeaa5a0 6780 rust optional
rust-wasmtime_36.0.11+dfsg-1.dsc
2472a27739ffed561cc051e9175b1be8 4812308 rust optional
rust-wasmtime_36.0.11+dfsg.orig.tar.xz
9e92979b488f3c0d28b936149f7e1ae3 26100 rust optional
rust-wasmtime_36.0.11+dfsg-1.debian.tar.xz
635f48bec6ff46be115ddefa8408f96c 25913 rust optional
rust-wasmtime_36.0.11+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJABAEBCgAqFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmoxEN0MHGRyQGpvbmVz
LmRrAAoJECx8MUbBoAEh/EkP/2hw9Lqx5378i2TMP6DemvJ9vYKMNblDBYY3yB/w
k52AczIjM4OKlOnDTj/YAAehRkmgjcpVwI1i5z4i/IBrpW12Iclfwht8fs3qd7j1
JuLaNBslUfmYE8EN9YgiFe6WaVF18F1u057EBRBItU2gsFRMR/O0iNojwkavk7Xi
1uWJpTDMmxJZrnXykE8avgUfuPFDkk1FV9Slwb+fnnQ3IiyVJnzk+vOG+pgufZKC
RrUtz5INMYkRX014CkET3w2I6VB7dV2rBHtAyUyhQoPEdWK0MCSBqCDAfFKZ3pjE
313JeW1KYqPWzhgbFkhjK06275Njx+qmsIpbZMjCxrYEI1hIGSz5OE1pxWTGLqpM
mx3RhwA3NEHfqqpoyy3o8lxl8RRP6X7ZNsf6QMhhzj605SC1TDtPSwdp/zxXam++
0wtzb2QCGJb4y8t8eunsJgYJAGIe1V6gEzr2s/Z0DsHYbw3TittwLbV7noUBviiW
9Mq8h3/JXfFRTj2ZOD01xkYwYnFfW8OszT6lCxro3wsNgTimmmEG2DGxlWNrLDCG
I57gzpvFDDwcD/Xu/BKhFCbWbJZ6Bqpna5xRMuMkPEx3tmDJJuSRVFwMvkyQeZFB
sBay2BjHbm1GHidNtkFljTdauoWDm92JhupofaKGJ/CQG1OvZSQAcIvFBuf991Sy
ba7H
=29y+
-----END PGP SIGNATURE-----
pgpVeGTtkDla3.pgp
Description: PGP signature
--- End Message ---
