[From nobody Thu Apr 30 20:49:16 2026 Received: (at 1134704-close) by bugs.debian.org; 30 Apr 2026 19:47:07 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.2 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FVGT_m_MULTI_ODD, HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 87; hammy, 149; neutral, 169; spammy, 1. spammytokens:0.999-1--r59 hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo Return-path: <envelope@ftp-master.debian.org> Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:36668) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wIXLn-00FIcX-2z for 1134704-close@bugs.debian.org; Thu, 30 Apr 2026 19:47:07 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by muffat.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wIXLn-003rHd-06 for 1134704-close@bugs.debian.org; Thu, 30 Apr 2026 19:47:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=qhhvFwlhdLSnKt2LkGtsmjR5OtnKCEsUDFgTYB36kK8=; b=K5hbc7U8mJq1Afxh0bAHkGHuSy 4LPOQq7Y1K5PqCe3e3LLaqLeYLYvJA7GnSTNoIwQIMLXj7ck1gNYicKUUaPrPgjGDOF84PyLqOLbg 88qJDiVZYvdGMmoDlQEVzayaiSebjPy8wxapweCakKJokSNXd8d6aQkQHnDy9pfpx2d4ID7hLGkUX RfrNjPJq8L6ZdVDAooA/nn2RvRsBTGGy+SNSLb4VuXvmAvqqMVWmfApIhIzauynr265TG8HB2wxpX E1XjO5FBIvSuFVzqqYlNwm9/mXniTl5h/Uc3Dqq4bhePPA10WdIqUqWrr7mXF80TcBd6Hi7rLYvgi kHHOINbA==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wIXLm-0000000Efky-0YaN; Thu, 30 Apr 2026 19:47:06 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Simon McVittie <smcv@debian.org> To: 1134704-close@bugs.debian.org X-DAK: dak process-policy X-Debian: DAK X-Debian-Package: bubblewrap Debian: DAK Debian-Changes: bubblewrap_0.11.0-2+deb13u1_source.changes Debian-Source: bubblewrap Debian-Version: 0.11.0-2+deb13u1 Debian-Architecture: source Debian-Suite: proposed-updates Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1134704: fixed in bubblewrap 0.11.0-2+deb13u1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============3577288967360178096==" Message-Id: <E1wIXLm-0000000Efky-0YaN@fasolo.debian.org> Date: Thu, 30 Apr 2026 19:47:06 +0000 --===============3577288967360178096== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: bubblewrap Source-Version: 0.11.0-2+deb13u1 Done: Simon McVittie <smcv@debian.org> We believe that the bug you reported is fixed in the latest version of bubblewrap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1134704@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <smcv@debian.org> (supplier of updated bubblewrap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 26 Apr 2026 14:05:43 +0100 Source: bubblewrap Architecture: source Version: 0.11.0-2+deb13u1 Distribution: trixie Urgency: medium Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debi= an.org> Changed-By: Simon McVittie <smcv@debian.org> Closes: 1134704 Changes: bubblewrap (0.11.0-2+deb13u1) trixie; urgency=3Dmedium . * d/control, d/gbp.conf: Branch for Debian 13 stable updates * d/patches: Fix privilege escalation if bubblewrap is setuid root. /usr/bin/bwrap has not been installed setuid-root by default since Debian 11, but if it was made setuid via a dpkg-statoverride set up by the local sysadmin (most likely in conjunction with turning off the ability for unprivileged users to create new user namespaces), then the version included in Debian 13.4 would be vulnerable. (CVE-2026-41163, Closes: #1134704) Note that the ability to install bubblewrap setuid-root has been deprecated upstream, and the version included in Debian 14 will refuse to run if it is setuid. Checksums-Sha1: 2f2dca80192f1538468af06059fade7692f55b85 2742 bubblewrap_0.11.0-2+deb13u1.dsc 0a67899ee6142ea5db6eade50e635c55489793ae 14468 bubblewrap_0.11.0-2+deb13u1.d= ebian.tar.xz 8eb2ea75172230ae0e3bbed1d88e4e9f700be0fe 7427 bubblewrap_0.11.0-2+deb13u1_so= urce.buildinfo Checksums-Sha256: 556589d3abf471da3275635ed986689edb1f997648d0ceaa27625623e8241e00 2742 bubble= wrap_0.11.0-2+deb13u1.dsc 29019acc1d4ed84f1abed2b8a986c9c17010296a6becf4f450d953e527aeda01 14468 bubbl= ewrap_0.11.0-2+deb13u1.debian.tar.xz 3e04c13ba779e017384425d089b59da60cccc47742c89f61674f03e21fb18a84 7427 bubble= wrap_0.11.0-2+deb13u1_source.buildinfo Files: ad1415b860142e4e8a7f3f358621feba 2742 admin optional bubblewrap_0.11.0-2+deb= 13u1.dsc 8cf97a652708913d8157003899f2ee1b 14468 admin optional bubblewrap_0.11.0-2+de= b13u1.debian.tar.xz 215105573fa76776cc6b95406536447a 7427 admin optional bubblewrap_0.11.0-2+deb= 13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnuFHwACgkQI1wJnT6z MHZU7RAAjl9xZ5JwKyDhr21JV6i/Nsu3ECJgTygrECX51HM+8RcF2tocbgxJNCDa YofeDQ2/1x6/D75S95LgfIHGYWkTgKbByWXiRjk9KYE+yye/J27xF8UZbE19vzw9 cX4HeoPJxKPjupr9Fhrfup3ZskU4Aa756isV/AA5rOosyefCmVhkh2/1dgwDYKiR AM58EI5D0lReJNdwRsOBiHfGYFjFAWp/I1rplAi+bCeedIsAQrNerpWk+oEPl4JI zSmb7loJXUCjhWx05xEU0LlLJqgrbfR7S9RmPzdoPCm/gjFSE+r59+ZDR/e+4hAZ Pm+Dlqh8iSrzodsUDNxi6992CIOJw+R5k1D5AvyM90n4OWCMEFgBSVzWqztivp75 wN1y7/uZFAlohvVKU+IVi5O0IMVJPqhi9lxIEg6fQ6p4TDpiUiqkCQs1N5T1ZbMb mfQWgVTeUffDRz90PzPD0SJvWt3BDQM9GbzaGC9tugmsDr+NhgfRk5+X871eWzu+ wIBMD1Rjy3oUpDwi7EL0bgdwFPyecijQ3PKVB/HFxOHFAAqNWBovJGHy9A3oxZCn ZOzqMJjzsMRWvyK2KIlA8acMR+kkYT3C70IPZpmaAepowgCLG6BlDCXM/eoYl+eE 6PIcILGSkYPH/sIVYkwHC9OmqFLdbaJsbeJKrXjAKqqkaJFnDRs=3D =3DtuF4 -----END PGP SIGNATURE----- --===============3577288967360178096== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCafOxugAKCRCb9qggYcy5 IRkjAPoDbk7FOkcjr0LjBPhem+MFrKEcxEs4+KC/0v7J6FCUAQEAzU6YowNXQj2Q dc8f8TRmtEECPtk67OIJu4WtnBzkbwE= =ZQT7 -----END PGP SIGNATURE----- --===============3577288967360178096==-- ]