Version in base suite: 2.68.3-3

Base version: snapd_2.68.3-3
Target version: snapd_2.68.3-3+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/snapd/snapd_2.68.3-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/snapd/snapd_2.68.3-3+deb13u1.dsc

 changelog                                                          |    9 ++
 patches/data-more-precise-prune-pattern-for-tmpfiles.patch         |   32 ++++++++++
 patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch |   25 +++++++
 patches/series                                                     |    2 
 4 files changed, 68 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphke6uoxr/snapd_2.68.3-3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphke6uoxr/snapd_2.68.3-3+deb13u1.dsc: no acceptable signature found
diff: /srv/release.debian.org/tmp/IvvtpJpgr3/snapd-2.68.3/core-initrd/latest/factory/init: No such file or directory
diff: /srv/release.debian.org/tmp/F930ewHC95/snapd-2.68.3/core-initrd/latest/factory/init: No such file or directory
diff: /srv/release.debian.org/tmp/IvvtpJpgr3/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/basic.target.wants/snapd.recovery-chooser-trigger.service: No such file or directory
diff: /srv/release.debian.org/tmp/F930ewHC95/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/basic.target.wants/snapd.recovery-chooser-trigger.service: No such file or directory
diff: /srv/release.debian.org/tmp/IvvtpJpgr3/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/initrd-root-fs.target.wants/sysroot.mount: No such file or directory
diff: /srv/release.debian.org/tmp/F930ewHC95/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/initrd-root-fs.target.wants/sysroot.mount: No such file or directory
diff: /srv/release.debian.org/tmp/IvvtpJpgr3/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/initrd-switch-root.target.wants/plymouth-switch-root.service: No such file or directory
diff: /srv/release.debian.org/tmp/F930ewHC95/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/initrd-switch-root.target.wants/plymouth-switch-root.service: No such file or directory
diff: /srv/release.debian.org/tmp/IvvtpJpgr3/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/initrd-switch-root.target.wants/snapd.recovery-chooser-trigger.service: No such file or directory
diff: /srv/release.debian.org/tmp/F930ewHC95/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/initrd-switch-root.target.wants/snapd.recovery-chooser-trigger.service: No such file or directory
diff: /srv/release.debian.org/tmp/IvvtpJpgr3/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/sysinit.target.wants/plymouth-start.service: No such file or directory
diff: /srv/release.debian.org/tmp/F930ewHC95/snapd-2.68.3/core-initrd/latest/factory/usr/lib/systemd/system/sysinit.target.wants/plymouth-start.service: No such file or directory
diff -Nru snapd-2.68.3/debian/changelog snapd-2.68.3/debian/changelog
--- snapd-2.68.3/debian/changelog	2025-07-15 06:01:41.000000000 +0000
+++ snapd-2.68.3/debian/changelog	2026-03-17 21:07:18.000000000 +0000
@@ -1,3 +1,12 @@
+snapd (2.68.3-3+deb13u1) trixie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * data/systemd-tmpfiles: protect the per-snap tmp
+  * data: more precise prune pattern for tmpfiles (CVE-2026-3888)
+    (Closes: #1131120)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 17 Mar 2026 22:07:18 +0100
+
 snapd (2.68.3-3) unstable; urgency=medium
 
   [ Zygmunt Krynicki ]
diff -Nru snapd-2.68.3/debian/patches/data-more-precise-prune-pattern-for-tmpfiles.patch snapd-2.68.3/debian/patches/data-more-precise-prune-pattern-for-tmpfiles.patch
--- snapd-2.68.3/debian/patches/data-more-precise-prune-pattern-for-tmpfiles.patch	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.68.3/debian/patches/data-more-precise-prune-pattern-for-tmpfiles.patch	2026-03-17 21:06:16.000000000 +0000
@@ -0,0 +1,32 @@
+From d2afe1a6f1174d1023a24b1b168df973830cb5cf Mon Sep 17 00:00:00 2001
+From: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+Date: Fri, 13 Feb 2026 15:38:01 +0100
+Subject: [PATCH] data: more precise prune pattern for tmpfiles
+
+This way the structure of private tmp directories is left intact, while the
+(aging) content of such directories is allowed to be removed.
+
+Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+---
+ data/systemd-tmpfiles/snapd.conf | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/data/systemd-tmpfiles/snapd.conf b/data/systemd-tmpfiles/snapd.conf
+index da8f1c38b709..98329e3d6ca7 100644
+--- a/data/systemd-tmpfiles/snapd.conf
++++ b/data/systemd-tmpfiles/snapd.conf
+@@ -1,7 +1,7 @@
+ D! /tmp/snap-private-tmp 0700 root root -
+ 
+-# make sure the snap's private tmp folders are 
+-# not reaped by age if configured by the system (noble+)
+-# this will still let the contents be reaped, just not the
+-# folder itself
++# Allow removing content in the private tmp folders without affecting the
++# architectural structure of the folders themselves.
++X /tmp/snap-private-tmp
+ X /tmp/snap-private-tmp/*/tmp
++x /tmp/snap-private-tmp/*/tmp/.snap
+-- 
+2.53.0
+
diff -Nru snapd-2.68.3/debian/patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch snapd-2.68.3/debian/patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch
--- snapd-2.68.3/debian/patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.68.3/debian/patches/data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch	2026-03-17 21:07:18.000000000 +0000
@@ -0,0 +1,25 @@
+From d3e2c3d85f9a0571fabfc079f89d0135a07afd67 Mon Sep 17 00:00:00 2001
+From: Philip Meulengracht <the_meulengracht@hotmail.com>
+Date: Wed, 12 Nov 2025 14:50:06 +0100
+Subject: [PATCH] data/systemd-tmpfiles: protect the per-snap tmp (#16197)
+
+Protect the per-snap tmp directory against being reaped by age
+---
+ data/systemd-tmpfiles/snapd.conf | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/data/systemd-tmpfiles/snapd.conf b/data/systemd-tmpfiles/snapd.conf
+index 03c9bb076f9b..da8f1c38b709 100644
+--- a/data/systemd-tmpfiles/snapd.conf
++++ b/data/systemd-tmpfiles/snapd.conf
+@@ -1 +1,7 @@
+ D! /tmp/snap-private-tmp 0700 root root -
++
++# make sure the snap's private tmp folders are 
++# not reaped by age if configured by the system (noble+)
++# this will still let the contents be reaped, just not the
++# folder itself
++X /tmp/snap-private-tmp/*/tmp
+-- 
+2.53.0
+
diff -Nru snapd-2.68.3/debian/patches/series snapd-2.68.3/debian/patches/series
--- snapd-2.68.3/debian/patches/series	2025-07-15 06:01:41.000000000 +0000
+++ snapd-2.68.3/debian/patches/series	2026-03-17 21:07:18.000000000 +0000
@@ -3,3 +3,5 @@
 0010-man-page-sections.patch
 multilib.patch
 0005-Add-Debian-Trixie-to-autopkgtest-entries.patch
+data-systemd-tmpfiles-protect-the-per-snap-tmp-16197.patch
+data-more-precise-prune-pattern-for-tmpfiles.patch