Version in base suite: 2.57.6-1

Base version: snapd_2.57.6-1
Target version: snapd_2.57.6-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/snapd/snapd_2.57.6-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/snapd/snapd_2.57.6-1+deb12u1.dsc

 changelog                                                          |    9 ++
 patches/data-more-precise-prune-pattern-for-tmpfiles.patch         |   32 ++++++++++
 patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch |   25 +++++++
 patches/series                                                     |    2 
 4 files changed, 68 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpx64pmleb/snapd_2.57.6-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpx64pmleb/snapd_2.57.6-1+deb12u1.dsc: no acceptable signature found
diff -Nru snapd-2.57.6/debian/changelog snapd-2.57.6/debian/changelog
--- snapd-2.57.6/debian/changelog	2022-12-01 16:35:36.000000000 +0000
+++ snapd-2.57.6/debian/changelog	2026-03-17 21:17:14.000000000 +0000
@@ -1,3 +1,12 @@
+snapd (2.57.6-1+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * data/systemd-tmpfiles: protect the per-snap tmp
+  * data: more precise prune pattern for tmpfiles (CVE-2026-3888)
+    (Closes: #1131120)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 17 Mar 2026 22:17:14 +0100
+
 snapd (2.57.6-1) unstable; urgency=high
 
   * SECURITY UPDATE: Local privilege escalation
diff -Nru snapd-2.57.6/debian/patches/data-more-precise-prune-pattern-for-tmpfiles.patch snapd-2.57.6/debian/patches/data-more-precise-prune-pattern-for-tmpfiles.patch
--- snapd-2.57.6/debian/patches/data-more-precise-prune-pattern-for-tmpfiles.patch	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.57.6/debian/patches/data-more-precise-prune-pattern-for-tmpfiles.patch	2026-03-17 21:16:57.000000000 +0000
@@ -0,0 +1,32 @@
+From d2afe1a6f1174d1023a24b1b168df973830cb5cf Mon Sep 17 00:00:00 2001
+From: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+Date: Fri, 13 Feb 2026 15:38:01 +0100
+Subject: [PATCH] data: more precise prune pattern for tmpfiles
+
+This way the structure of private tmp directories is left intact, while the
+(aging) content of such directories is allowed to be removed.
+
+Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+---
+ data/systemd-tmpfiles/snapd.conf | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/data/systemd-tmpfiles/snapd.conf b/data/systemd-tmpfiles/snapd.conf
+index da8f1c38b709..98329e3d6ca7 100644
+--- a/data/systemd-tmpfiles/snapd.conf
++++ b/data/systemd-tmpfiles/snapd.conf
+@@ -1,7 +1,7 @@
+ D! /tmp/snap-private-tmp 0700 root root -
+ 
+-# make sure the snap's private tmp folders are 
+-# not reaped by age if configured by the system (noble+)
+-# this will still let the contents be reaped, just not the
+-# folder itself
++# Allow removing content in the private tmp folders without affecting the
++# architectural structure of the folders themselves.
++X /tmp/snap-private-tmp
+ X /tmp/snap-private-tmp/*/tmp
++x /tmp/snap-private-tmp/*/tmp/.snap
+-- 
+2.53.0
+
diff -Nru snapd-2.57.6/debian/patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch snapd-2.57.6/debian/patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch
--- snapd-2.57.6/debian/patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.57.6/debian/patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch	2026-03-17 21:16:57.000000000 +0000
@@ -0,0 +1,25 @@
+From d3e2c3d85f9a0571fabfc079f89d0135a07afd67 Mon Sep 17 00:00:00 2001
+From: Philip Meulengracht <the_meulengracht@hotmail.com>
+Date: Wed, 12 Nov 2025 14:50:06 +0100
+Subject: [PATCH] data/systemd-tmpfiles: protect the per-snap tmp (#16197)
+
+Protect the per-snap tmp directory against being reaped by age
+---
+ data/systemd-tmpfiles/snapd.conf | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/data/systemd-tmpfiles/snapd.conf b/data/systemd-tmpfiles/snapd.conf
+index 03c9bb076f9b..da8f1c38b709 100644
+--- a/data/systemd-tmpfiles/snapd.conf
++++ b/data/systemd-tmpfiles/snapd.conf
+@@ -1 +1,7 @@
+ D! /tmp/snap-private-tmp 0700 root root -
++
++# make sure the snap's private tmp folders are 
++# not reaped by age if configured by the system (noble+)
++# this will still let the contents be reaped, just not the
++# folder itself
++X /tmp/snap-private-tmp/*/tmp
+-- 
+2.53.0
+
diff -Nru snapd-2.57.6/debian/patches/series snapd-2.57.6/debian/patches/series
--- snapd-2.57.6/debian/patches/series	2022-12-01 16:35:36.000000000 +0000
+++ snapd-2.57.6/debian/patches/series	2026-03-17 21:17:11.000000000 +0000
@@ -7,3 +7,5 @@
 0011-Fix-test-with-godbus-5.0.5.patch
 0015-fix-build-5bd97b39a03.patch
 0016-skip-TestPopulateFromSeedWithConnectHook.patch
+data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch
+data-more-precise-prune-pattern-for-tmpfiles.patch