On Mon, 27 Apr 2026 at 20:58:50 +0200, Salvatore Bonaccorso wrote:
it looks the debdiff is missing here, can you attach it?

Oh, sorry, attached now.

    smcv
diffstat for bubblewrap-0.11.0 bubblewrap-0.11.0

 bubblewrap.c                                                                                |   28 ++-
 debian/changelog                                                                            |   16 +
 debian/control                                                                              |    2 
 debian/gbp.conf                                                                             |    2 
 debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch         |   89 ++++++++++
 debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch |   36 ++++
 debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch       |    4 
 debian/patches/series                                                                       |    2 
 8 files changed, 166 insertions(+), 13 deletions(-)

diff -Nru bubblewrap-0.11.0/bubblewrap.c bubblewrap-0.11.0/bubblewrap.c
--- bubblewrap-0.11.0/bubblewrap.c	2026-04-27 22:42:41.000000000 +0100
+++ bubblewrap-0.11.0/bubblewrap.c	2026-04-27 22:42:41.000000000 +0100
@@ -937,7 +937,8 @@
 /* Call setuid() and use capset() to adjust capabilities */
 static void
 drop_privs (bool keep_requested_caps,
-            bool already_changed_uid)
+            bool already_changed_uid,
+            bool set_dumpable)
 {
   assert (!keep_requested_caps || !is_privileged);
   /* Drop root uid */
@@ -947,9 +948,12 @@
 
   drop_all_caps (keep_requested_caps);
 
-  /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */
-  if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0)
-    die_with_error ("can't set dumpable");
+  if (set_dumpable)
+    {
+      /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */
+      if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0)
+        die_with_error ("can't set dumpable");
+    }
 }
 
 static void
@@ -1154,7 +1158,9 @@
       break;
 
     case PRIV_SEP_OP_OVERLAY_MOUNT:
-      if (mount ("overlay", arg2, "overlay", MS_MGC_VAL, arg1) != 0)
+      if (is_privileged)
+        die ("Overlay mounts are not supported in setuid mode");
+      if (mount ("overlay", arg2, "overlay", MS_MGC_VAL | MS_NOSUID | MS_NODEV, arg1) != 0)
         {
           /* The standard message for ELOOP, "Too many levels of symbolic
            * links", is not helpful here. */
@@ -1172,6 +1178,8 @@
          something manages to send hacked priv-sep operation requests. */
       if (!opt_unshare_uts)
         die ("Refusing to set hostname in original namespace");
+      if (arg1 == NULL)
+        die ("Hostname argument is NULL");
       if (sethostname (arg1, strlen(arg1)) != 0)
         die_with_error ("Can't set hostname to %s", arg1);
       break;
@@ -3175,7 +3183,7 @@
         die_with_error ("Setting userns2 failed");
 
       /* We don't need any privileges in the launcher, drop them immediately. */
-      drop_privs (false, false);
+      drop_privs (false, false, true);
 
       /* Optionally bind our lifecycle to that of the parent */
       handle_die_with_parent ();
@@ -3362,8 +3370,10 @@
 
       if (child == 0)
         {
-          /* Unprivileged setup process */
-          drop_privs (false, true);
+          /* Unprivileged setup process.
+           * Note: Don't set dumpable, because we can still perform privileged
+           * operations via privileged_op(). */
+          drop_privs (false, true, false);
           close (privsep_sockets[0]);
           setup_newroot (opt_unshare_pid, privsep_sockets[1]);
           exit (0);
@@ -3492,7 +3502,7 @@
     }
 
   /* All privileged ops are done now, so drop caps we don't need */
-  drop_privs (!is_privileged, true);
+  drop_privs (!is_privileged, true, true);
 
   if (opt_block_fd != -1)
     {
diff -Nru bubblewrap-0.11.0/debian/changelog bubblewrap-0.11.0/debian/changelog
--- bubblewrap-0.11.0/debian/changelog	2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/changelog	2026-04-26 14:05:43.000000000 +0100
@@ -1,3 +1,19 @@
+bubblewrap (0.11.0-2+deb13u1) trixie; urgency=medium
+
+  * d/control, d/gbp.conf: Branch for Debian 13 stable updates
+  * d/patches: Fix privilege escalation if bubblewrap is setuid root.
+    /usr/bin/bwrap has not been installed setuid-root by default since
+    Debian 11, but if it was made setuid via a dpkg-statoverride set up
+    by the local sysadmin (most likely in conjunction with turning off
+    the ability for unprivileged users to create new user namespaces),
+    then the version included in Debian 13.4 would be vulnerable.
+    (CVE-2026-41163, Closes: #1134704)
+    Note that the ability to install bubblewrap setuid-root has been
+    deprecated upstream, and the version included in Debian 14 will
+    refuse to run if it is setuid.
+
+ -- Simon McVittie <[email protected]>  Sun, 26 Apr 2026 14:05:43 +0100
+
 bubblewrap (0.11.0-2) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru bubblewrap-0.11.0/debian/control bubblewrap-0.11.0/debian/control
--- bubblewrap-0.11.0/debian/control	2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/control	2026-04-26 14:05:43.000000000 +0100
@@ -22,7 +22,7 @@
  xsltproc,
 Standards-Version: 4.7.0
 Homepage: https://github.com/containers/bubblewrap
-Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git
+Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git -b debian/trixie
 Vcs-Browser: https://salsa.debian.org/debian/bubblewrap
 Rules-Requires-Root: no
 
diff -Nru bubblewrap-0.11.0/debian/gbp.conf bubblewrap-0.11.0/debian/gbp.conf
--- bubblewrap-0.11.0/debian/gbp.conf	2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/gbp.conf	2026-04-26 14:05:43.000000000 +0100
@@ -1,6 +1,6 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/latest
+debian-branch = debian/trixie
 upstream-branch = upstream/latest
 patch-numbers = False
 upstream-vcs-tag = v%(version)s
diff -Nru bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch
--- bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch	1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch	2026-04-26 14:05:43.000000000 +0100
@@ -0,0 +1,89 @@
+From: Alexander Larsson <[email protected]>
+Date: Tue, 14 Apr 2026 11:46:12 +0200
+Subject: Don't run the privilege separated code dumpable
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+If the unprivileged code is dumpable, then it can be attached to with
+ptrace and execute arbitrary requests to the privileged part of the
+setup. In some cases this allows privilege escalation, such as using
+overlay mounts which would otherwise not be allowed in setuid mode.
+
+Note: We still make the monitor process and the main child process
+dumpable, because otherwise the owner of /proc/self is root which
+makes these processed not able to use features that are needed for
+e.g. detarmining portal access.
+
+Initially reported by François Diakhate <[email protected]>
+
+Signed-off-by: Alexander Larsson <[email protected]>
+Origin: upstream, 0.11.2, commit:10ed62f34a4565188887b06df1438ef8002c3c80
+Bug: https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp
+Bug-CVE: CVE-2026-41163
+Bug-Debian: https://bugs.debian.org/1134704
+---
+ bubblewrap.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index f8728c7..0d8d54d 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -937,7 +937,8 @@ switch_to_user_with_privs (void)
+ /* Call setuid() and use capset() to adjust capabilities */
+ static void
+ drop_privs (bool keep_requested_caps,
+-            bool already_changed_uid)
++            bool already_changed_uid,
++            bool set_dumpable)
+ {
+   assert (!keep_requested_caps || !is_privileged);
+   /* Drop root uid */
+@@ -947,9 +948,12 @@ drop_privs (bool keep_requested_caps,
+ 
+   drop_all_caps (keep_requested_caps);
+ 
+-  /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */
+-  if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0)
+-    die_with_error ("can't set dumpable");
++  if (set_dumpable)
++    {
++      /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */
++      if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0)
++        die_with_error ("can't set dumpable");
++    }
+ }
+ 
+ static void
+@@ -3175,7 +3179,7 @@ main (int    argc,
+         die_with_error ("Setting userns2 failed");
+ 
+       /* We don't need any privileges in the launcher, drop them immediately. */
+-      drop_privs (false, false);
++      drop_privs (false, false, true);
+ 
+       /* Optionally bind our lifecycle to that of the parent */
+       handle_die_with_parent ();
+@@ -3362,8 +3366,10 @@ main (int    argc,
+ 
+       if (child == 0)
+         {
+-          /* Unprivileged setup process */
+-          drop_privs (false, true);
++          /* Unprivileged setup process.
++           * Note: Don't set dumpable, because we can still perform privileged
++           * operations via privileged_op(). */
++          drop_privs (false, true, false);
+           close (privsep_sockets[0]);
+           setup_newroot (opt_unshare_pid, privsep_sockets[1]);
+           exit (0);
+@@ -3492,7 +3498,7 @@ main (int    argc,
+     }
+ 
+   /* All privileged ops are done now, so drop caps we don't need */
+-  drop_privs (!is_privileged, true);
++  drop_privs (!is_privileged, true, true);
+ 
+   if (opt_block_fd != -1)
+     {
diff -Nru bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch
--- bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch	1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch	2026-04-26 14:05:43.000000000 +0100
@@ -0,0 +1,36 @@
+From: =?utf-8?q?Fran=C3=A7ois_Diakhat=C3=A9?= <[email protected]>
+Date: Thu, 9 Apr 2026 18:17:33 +0000
+Subject: fix: harden privsep parent against unexpected operations
+
+Origin: upstream, 0.11.2, commit:9e16c35582af7704958dd2b2ec3cba524c9605b6
+Bug: https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp
+Bug-CVE: CVE-2026-41163
+Bug-Debian: https://bugs.debian.org/1134704
+---
+ bubblewrap.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index 0d8d54d..42efe2a 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -1158,7 +1158,9 @@ privileged_op (int         privileged_op_socket,
+       break;
+ 
+     case PRIV_SEP_OP_OVERLAY_MOUNT:
+-      if (mount ("overlay", arg2, "overlay", MS_MGC_VAL, arg1) != 0)
++      if (is_privileged)
++        die ("Overlay mounts are not supported in setuid mode");
++      if (mount ("overlay", arg2, "overlay", MS_MGC_VAL | MS_NOSUID | MS_NODEV, arg1) != 0)
+         {
+           /* The standard message for ELOOP, "Too many levels of symbolic
+            * links", is not helpful here. */
+@@ -1176,6 +1178,8 @@ privileged_op (int         privileged_op_socket,
+          something manages to send hacked priv-sep operation requests. */
+       if (!opt_unshare_uts)
+         die ("Refusing to set hostname in original namespace");
++      if (arg1 == NULL)
++        die ("Hostname argument is NULL");
+       if (sethostname (arg1, strlen(arg1)) != 0)
+         die_with_error ("Can't set hostname to %s", arg1);
+       break;
diff -Nru bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch
--- bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch	2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch	2026-04-26 14:05:43.000000000 +0100
@@ -8,10 +8,10 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/bubblewrap.c b/bubblewrap.c
-index f8728c7..457b0a3 100644
+index 42efe2a..3e48d26 100644
 --- a/bubblewrap.c
 +++ b/bubblewrap.c
-@@ -3128,7 +3128,7 @@ main (int    argc,
+@@ -3136,7 +3136,7 @@ main (int    argc,
            if (errno == EINVAL)
              die ("Creating new namespace failed, likely because the kernel does not support user namespaces.  bwrap must be installed setuid on such systems.");
            else if (errno == EPERM && !is_privileged)
diff -Nru bubblewrap-0.11.0/debian/patches/series bubblewrap-0.11.0/debian/patches/series
--- bubblewrap-0.11.0/debian/patches/series	2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/patches/series	2026-04-26 14:05:43.000000000 +0100
@@ -1 +1,3 @@
+CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch
+CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch
 debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch

Reply via email to