On Mon, 27 Apr 2026 at 20:58:50 +0200, Salvatore Bonaccorso wrote:
it looks the debdiff is missing here, can you attach it?
Oh, sorry, attached now.
smcv
diffstat for bubblewrap-0.11.0 bubblewrap-0.11.0
bubblewrap.c | 28 ++-
debian/changelog | 16 +
debian/control | 2
debian/gbp.conf | 2
debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch | 89 ++++++++++
debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch | 36 ++++
debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch | 4
debian/patches/series | 2
8 files changed, 166 insertions(+), 13 deletions(-)
diff -Nru bubblewrap-0.11.0/bubblewrap.c bubblewrap-0.11.0/bubblewrap.c
--- bubblewrap-0.11.0/bubblewrap.c 2026-04-27 22:42:41.000000000 +0100
+++ bubblewrap-0.11.0/bubblewrap.c 2026-04-27 22:42:41.000000000 +0100
@@ -937,7 +937,8 @@
/* Call setuid() and use capset() to adjust capabilities */
static void
drop_privs (bool keep_requested_caps,
- bool already_changed_uid)
+ bool already_changed_uid,
+ bool set_dumpable)
{
assert (!keep_requested_caps || !is_privileged);
/* Drop root uid */
@@ -947,9 +948,12 @@
drop_all_caps (keep_requested_caps);
- /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */
- if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0)
- die_with_error ("can't set dumpable");
+ if (set_dumpable)
+ {
+ /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */
+ if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0)
+ die_with_error ("can't set dumpable");
+ }
}
static void
@@ -1154,7 +1158,9 @@
break;
case PRIV_SEP_OP_OVERLAY_MOUNT:
- if (mount ("overlay", arg2, "overlay", MS_MGC_VAL, arg1) != 0)
+ if (is_privileged)
+ die ("Overlay mounts are not supported in setuid mode");
+ if (mount ("overlay", arg2, "overlay", MS_MGC_VAL | MS_NOSUID | MS_NODEV, arg1) != 0)
{
/* The standard message for ELOOP, "Too many levels of symbolic
* links", is not helpful here. */
@@ -1172,6 +1178,8 @@
something manages to send hacked priv-sep operation requests. */
if (!opt_unshare_uts)
die ("Refusing to set hostname in original namespace");
+ if (arg1 == NULL)
+ die ("Hostname argument is NULL");
if (sethostname (arg1, strlen(arg1)) != 0)
die_with_error ("Can't set hostname to %s", arg1);
break;
@@ -3175,7 +3183,7 @@
die_with_error ("Setting userns2 failed");
/* We don't need any privileges in the launcher, drop them immediately. */
- drop_privs (false, false);
+ drop_privs (false, false, true);
/* Optionally bind our lifecycle to that of the parent */
handle_die_with_parent ();
@@ -3362,8 +3370,10 @@
if (child == 0)
{
- /* Unprivileged setup process */
- drop_privs (false, true);
+ /* Unprivileged setup process.
+ * Note: Don't set dumpable, because we can still perform privileged
+ * operations via privileged_op(). */
+ drop_privs (false, true, false);
close (privsep_sockets[0]);
setup_newroot (opt_unshare_pid, privsep_sockets[1]);
exit (0);
@@ -3492,7 +3502,7 @@
}
/* All privileged ops are done now, so drop caps we don't need */
- drop_privs (!is_privileged, true);
+ drop_privs (!is_privileged, true, true);
if (opt_block_fd != -1)
{
diff -Nru bubblewrap-0.11.0/debian/changelog bubblewrap-0.11.0/debian/changelog
--- bubblewrap-0.11.0/debian/changelog 2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/changelog 2026-04-26 14:05:43.000000000 +0100
@@ -1,3 +1,19 @@
+bubblewrap (0.11.0-2+deb13u1) trixie; urgency=medium
+
+ * d/control, d/gbp.conf: Branch for Debian 13 stable updates
+ * d/patches: Fix privilege escalation if bubblewrap is setuid root.
+ /usr/bin/bwrap has not been installed setuid-root by default since
+ Debian 11, but if it was made setuid via a dpkg-statoverride set up
+ by the local sysadmin (most likely in conjunction with turning off
+ the ability for unprivileged users to create new user namespaces),
+ then the version included in Debian 13.4 would be vulnerable.
+ (CVE-2026-41163, Closes: #1134704)
+ Note that the ability to install bubblewrap setuid-root has been
+ deprecated upstream, and the version included in Debian 14 will
+ refuse to run if it is setuid.
+
+ -- Simon McVittie <[email protected]> Sun, 26 Apr 2026 14:05:43 +0100
+
bubblewrap (0.11.0-2) unstable; urgency=medium
[ Helmut Grohne ]
diff -Nru bubblewrap-0.11.0/debian/control bubblewrap-0.11.0/debian/control
--- bubblewrap-0.11.0/debian/control 2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/control 2026-04-26 14:05:43.000000000 +0100
@@ -22,7 +22,7 @@
xsltproc,
Standards-Version: 4.7.0
Homepage: https://github.com/containers/bubblewrap
-Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git
+Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git -b debian/trixie
Vcs-Browser: https://salsa.debian.org/debian/bubblewrap
Rules-Requires-Root: no
diff -Nru bubblewrap-0.11.0/debian/gbp.conf bubblewrap-0.11.0/debian/gbp.conf
--- bubblewrap-0.11.0/debian/gbp.conf 2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/gbp.conf 2026-04-26 14:05:43.000000000 +0100
@@ -1,6 +1,6 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/latest
+debian-branch = debian/trixie
upstream-branch = upstream/latest
patch-numbers = False
upstream-vcs-tag = v%(version)s
diff -Nru bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch
--- bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch 1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch 2026-04-26 14:05:43.000000000 +0100
@@ -0,0 +1,89 @@
+From: Alexander Larsson <[email protected]>
+Date: Tue, 14 Apr 2026 11:46:12 +0200
+Subject: Don't run the privilege separated code dumpable
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+If the unprivileged code is dumpable, then it can be attached to with
+ptrace and execute arbitrary requests to the privileged part of the
+setup. In some cases this allows privilege escalation, such as using
+overlay mounts which would otherwise not be allowed in setuid mode.
+
+Note: We still make the monitor process and the main child process
+dumpable, because otherwise the owner of /proc/self is root which
+makes these processed not able to use features that are needed for
+e.g. detarmining portal access.
+
+Initially reported by François Diakhate <[email protected]>
+
+Signed-off-by: Alexander Larsson <[email protected]>
+Origin: upstream, 0.11.2, commit:10ed62f34a4565188887b06df1438ef8002c3c80
+Bug: https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp
+Bug-CVE: CVE-2026-41163
+Bug-Debian: https://bugs.debian.org/1134704
+---
+ bubblewrap.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index f8728c7..0d8d54d 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -937,7 +937,8 @@ switch_to_user_with_privs (void)
+ /* Call setuid() and use capset() to adjust capabilities */
+ static void
+ drop_privs (bool keep_requested_caps,
+- bool already_changed_uid)
++ bool already_changed_uid,
++ bool set_dumpable)
+ {
+ assert (!keep_requested_caps || !is_privileged);
+ /* Drop root uid */
+@@ -947,9 +948,12 @@ drop_privs (bool keep_requested_caps,
+
+ drop_all_caps (keep_requested_caps);
+
+- /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */
+- if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0)
+- die_with_error ("can't set dumpable");
++ if (set_dumpable)
++ {
++ /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */
++ if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0)
++ die_with_error ("can't set dumpable");
++ }
+ }
+
+ static void
+@@ -3175,7 +3179,7 @@ main (int argc,
+ die_with_error ("Setting userns2 failed");
+
+ /* We don't need any privileges in the launcher, drop them immediately. */
+- drop_privs (false, false);
++ drop_privs (false, false, true);
+
+ /* Optionally bind our lifecycle to that of the parent */
+ handle_die_with_parent ();
+@@ -3362,8 +3366,10 @@ main (int argc,
+
+ if (child == 0)
+ {
+- /* Unprivileged setup process */
+- drop_privs (false, true);
++ /* Unprivileged setup process.
++ * Note: Don't set dumpable, because we can still perform privileged
++ * operations via privileged_op(). */
++ drop_privs (false, true, false);
+ close (privsep_sockets[0]);
+ setup_newroot (opt_unshare_pid, privsep_sockets[1]);
+ exit (0);
+@@ -3492,7 +3498,7 @@ main (int argc,
+ }
+
+ /* All privileged ops are done now, so drop caps we don't need */
+- drop_privs (!is_privileged, true);
++ drop_privs (!is_privileged, true, true);
+
+ if (opt_block_fd != -1)
+ {
diff -Nru bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch
--- bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch 1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch 2026-04-26 14:05:43.000000000 +0100
@@ -0,0 +1,36 @@
+From: =?utf-8?q?Fran=C3=A7ois_Diakhat=C3=A9?= <[email protected]>
+Date: Thu, 9 Apr 2026 18:17:33 +0000
+Subject: fix: harden privsep parent against unexpected operations
+
+Origin: upstream, 0.11.2, commit:9e16c35582af7704958dd2b2ec3cba524c9605b6
+Bug: https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp
+Bug-CVE: CVE-2026-41163
+Bug-Debian: https://bugs.debian.org/1134704
+---
+ bubblewrap.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index 0d8d54d..42efe2a 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -1158,7 +1158,9 @@ privileged_op (int privileged_op_socket,
+ break;
+
+ case PRIV_SEP_OP_OVERLAY_MOUNT:
+- if (mount ("overlay", arg2, "overlay", MS_MGC_VAL, arg1) != 0)
++ if (is_privileged)
++ die ("Overlay mounts are not supported in setuid mode");
++ if (mount ("overlay", arg2, "overlay", MS_MGC_VAL | MS_NOSUID | MS_NODEV, arg1) != 0)
+ {
+ /* The standard message for ELOOP, "Too many levels of symbolic
+ * links", is not helpful here. */
+@@ -1176,6 +1178,8 @@ privileged_op (int privileged_op_socket,
+ something manages to send hacked priv-sep operation requests. */
+ if (!opt_unshare_uts)
+ die ("Refusing to set hostname in original namespace");
++ if (arg1 == NULL)
++ die ("Hostname argument is NULL");
+ if (sethostname (arg1, strlen(arg1)) != 0)
+ die_with_error ("Can't set hostname to %s", arg1);
+ break;
diff -Nru bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch
--- bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch 2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch 2026-04-26 14:05:43.000000000 +0100
@@ -8,10 +8,10 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bubblewrap.c b/bubblewrap.c
-index f8728c7..457b0a3 100644
+index 42efe2a..3e48d26 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
-@@ -3128,7 +3128,7 @@ main (int argc,
+@@ -3136,7 +3136,7 @@ main (int argc,
if (errno == EINVAL)
die ("Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems.");
else if (errno == EPERM && !is_privileged)
diff -Nru bubblewrap-0.11.0/debian/patches/series bubblewrap-0.11.0/debian/patches/series
--- bubblewrap-0.11.0/debian/patches/series 2024-12-30 11:17:50.000000000 +0000
+++ bubblewrap-0.11.0/debian/patches/series 2026-04-26 14:05:43.000000000 +0100
@@ -1 +1,3 @@
+CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch
+CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch
debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch