Version in base suite: 0.11.0-2 Base version: bubblewrap_0.11.0-2 Target version: bubblewrap_0.11.0-2+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/bubblewrap/bubblewrap_0.11.0-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/bubblewrap/bubblewrap_0.11.0-2+deb13u1.dsc changelog | 16 + control | 2 gbp.conf | 2 patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch | 89 ++++++++++ patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch | 36 ++++ patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch | 4 patches/series | 2 7 files changed, 147 insertions(+), 4 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpf39j22u4/bubblewrap_0.11.0-2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpf39j22u4/bubblewrap_0.11.0-2+deb13u1.dsc: no acceptable signature found diff -Nru bubblewrap-0.11.0/debian/changelog bubblewrap-0.11.0/debian/changelog --- bubblewrap-0.11.0/debian/changelog 2024-12-30 11:17:50.000000000 +0000 +++ bubblewrap-0.11.0/debian/changelog 2026-04-26 13:05:43.000000000 +0000 @@ -1,3 +1,19 @@ +bubblewrap (0.11.0-2+deb13u1) trixie; urgency=medium + + * d/control, d/gbp.conf: Branch for Debian 13 stable updates + * d/patches: Fix privilege escalation if bubblewrap is setuid root. + /usr/bin/bwrap has not been installed setuid-root by default since + Debian 11, but if it was made setuid via a dpkg-statoverride set up + by the local sysadmin (most likely in conjunction with turning off + the ability for unprivileged users to create new user namespaces), + then the version included in Debian 13.4 would be vulnerable. + (CVE-2026-41163, Closes: #1134704) + Note that the ability to install bubblewrap setuid-root has been + deprecated upstream, and the version included in Debian 14 will + refuse to run if it is setuid. + + -- Simon McVittie Sun, 26 Apr 2026 14:05:43 +0100 + bubblewrap (0.11.0-2) unstable; urgency=medium [ Helmut Grohne ] diff -Nru bubblewrap-0.11.0/debian/control bubblewrap-0.11.0/debian/control --- bubblewrap-0.11.0/debian/control 2024-12-30 11:17:50.000000000 +0000 +++ bubblewrap-0.11.0/debian/control 2026-04-26 13:05:43.000000000 +0000 @@ -22,7 +22,7 @@ xsltproc, Standards-Version: 4.7.0 Homepage: https://github.com/containers/bubblewrap -Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git +Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git -b debian/trixie Vcs-Browser: https://salsa.debian.org/debian/bubblewrap Rules-Requires-Root: no diff -Nru bubblewrap-0.11.0/debian/gbp.conf bubblewrap-0.11.0/debian/gbp.conf --- bubblewrap-0.11.0/debian/gbp.conf 2024-12-30 11:17:50.000000000 +0000 +++ bubblewrap-0.11.0/debian/gbp.conf 2026-04-26 13:05:43.000000000 +0000 @@ -1,6 +1,6 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/latest +debian-branch = debian/trixie upstream-branch = upstream/latest patch-numbers = False upstream-vcs-tag = v%(version)s diff -Nru bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch --- bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch 1970-01-01 00:00:00.000000000 +0000 +++ bubblewrap-0.11.0/debian/patches/CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch 2026-04-26 13:05:43.000000000 +0000 @@ -0,0 +1,89 @@ +From: Alexander Larsson +Date: Tue, 14 Apr 2026 11:46:12 +0200 +Subject: Don't run the privilege separated code dumpable +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +If the unprivileged code is dumpable, then it can be attached to with +ptrace and execute arbitrary requests to the privileged part of the +setup. In some cases this allows privilege escalation, such as using +overlay mounts which would otherwise not be allowed in setuid mode. + +Note: We still make the monitor process and the main child process +dumpable, because otherwise the owner of /proc/self is root which +makes these processed not able to use features that are needed for +e.g. detarmining portal access. + +Initially reported by François Diakhate + +Signed-off-by: Alexander Larsson +Origin: upstream, 0.11.2, commit:10ed62f34a4565188887b06df1438ef8002c3c80 +Bug: https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp +Bug-CVE: CVE-2026-41163 +Bug-Debian: https://bugs.debian.org/1134704 +--- + bubblewrap.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/bubblewrap.c b/bubblewrap.c +index f8728c7..0d8d54d 100644 +--- a/bubblewrap.c ++++ b/bubblewrap.c +@@ -937,7 +937,8 @@ switch_to_user_with_privs (void) + /* Call setuid() and use capset() to adjust capabilities */ + static void + drop_privs (bool keep_requested_caps, +- bool already_changed_uid) ++ bool already_changed_uid, ++ bool set_dumpable) + { + assert (!keep_requested_caps || !is_privileged); + /* Drop root uid */ +@@ -947,9 +948,12 @@ drop_privs (bool keep_requested_caps, + + drop_all_caps (keep_requested_caps); + +- /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */ +- if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0) +- die_with_error ("can't set dumpable"); ++ if (set_dumpable) ++ { ++ /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */ ++ if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0) ++ die_with_error ("can't set dumpable"); ++ } + } + + static void +@@ -3175,7 +3179,7 @@ main (int argc, + die_with_error ("Setting userns2 failed"); + + /* We don't need any privileges in the launcher, drop them immediately. */ +- drop_privs (false, false); ++ drop_privs (false, false, true); + + /* Optionally bind our lifecycle to that of the parent */ + handle_die_with_parent (); +@@ -3362,8 +3366,10 @@ main (int argc, + + if (child == 0) + { +- /* Unprivileged setup process */ +- drop_privs (false, true); ++ /* Unprivileged setup process. ++ * Note: Don't set dumpable, because we can still perform privileged ++ * operations via privileged_op(). */ ++ drop_privs (false, true, false); + close (privsep_sockets[0]); + setup_newroot (opt_unshare_pid, privsep_sockets[1]); + exit (0); +@@ -3492,7 +3498,7 @@ main (int argc, + } + + /* All privileged ops are done now, so drop caps we don't need */ +- drop_privs (!is_privileged, true); ++ drop_privs (!is_privileged, true, true); + + if (opt_block_fd != -1) + { diff -Nru bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch --- bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch 1970-01-01 00:00:00.000000000 +0000 +++ bubblewrap-0.11.0/debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch 2026-04-26 13:05:43.000000000 +0000 @@ -0,0 +1,36 @@ +From: =?utf-8?q?Fran=C3=A7ois_Diakhat=C3=A9?= +Date: Thu, 9 Apr 2026 18:17:33 +0000 +Subject: fix: harden privsep parent against unexpected operations + +Origin: upstream, 0.11.2, commit:9e16c35582af7704958dd2b2ec3cba524c9605b6 +Bug: https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp +Bug-CVE: CVE-2026-41163 +Bug-Debian: https://bugs.debian.org/1134704 +--- + bubblewrap.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/bubblewrap.c b/bubblewrap.c +index 0d8d54d..42efe2a 100644 +--- a/bubblewrap.c ++++ b/bubblewrap.c +@@ -1158,7 +1158,9 @@ privileged_op (int privileged_op_socket, + break; + + case PRIV_SEP_OP_OVERLAY_MOUNT: +- if (mount ("overlay", arg2, "overlay", MS_MGC_VAL, arg1) != 0) ++ if (is_privileged) ++ die ("Overlay mounts are not supported in setuid mode"); ++ if (mount ("overlay", arg2, "overlay", MS_MGC_VAL | MS_NOSUID | MS_NODEV, arg1) != 0) + { + /* The standard message for ELOOP, "Too many levels of symbolic + * links", is not helpful here. */ +@@ -1176,6 +1178,8 @@ privileged_op (int privileged_op_socket, + something manages to send hacked priv-sep operation requests. */ + if (!opt_unshare_uts) + die ("Refusing to set hostname in original namespace"); ++ if (arg1 == NULL) ++ die ("Hostname argument is NULL"); + if (sethostname (arg1, strlen(arg1)) != 0) + die_with_error ("Can't set hostname to %s", arg1); + break; diff -Nru bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch --- bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch 2024-12-30 11:17:50.000000000 +0000 +++ bubblewrap-0.11.0/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch 2026-04-26 13:05:43.000000000 +0000 @@ -8,10 +8,10 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bubblewrap.c b/bubblewrap.c -index f8728c7..457b0a3 100644 +index 42efe2a..3e48d26 100644 --- a/bubblewrap.c +++ b/bubblewrap.c -@@ -3128,7 +3128,7 @@ main (int argc, +@@ -3136,7 +3136,7 @@ main (int argc, if (errno == EINVAL) die ("Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems."); else if (errno == EPERM && !is_privileged) diff -Nru bubblewrap-0.11.0/debian/patches/series bubblewrap-0.11.0/debian/patches/series --- bubblewrap-0.11.0/debian/patches/series 2024-12-30 11:17:50.000000000 +0000 +++ bubblewrap-0.11.0/debian/patches/series 2026-04-26 13:05:43.000000000 +0000 @@ -1 +1,3 @@ +CVE-2026-41163/Don-t-run-the-privilege-separated-code-dumpable.patch +CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch