[Pkg-utopia-maintainers] Bug#1134704: bubblewrap: CVE-2026-41163: Privilege escalation if setuid root, via ptrace

[Simon McVittie]

Package: bubblewrap
Version: 0.11.0-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

bubblewrap >= 0.11.0 has a security vulnerability **if** installed 
setuid root:

>If bubblewrap is installed in setuid mode then the user can use ptrace
>to attach to bubblewrap and control the unprivileged part of the sandbox
>setup phase. This allows it the attacker to arbitrarily use the
>privileged operations, and in particular the "overlay mount" operation,
>allowing the creation of overlay mounts which is otherwise not allowed
>in the setuid version of bubblewrap.

A significant mitigation is that Debian hasn't installed bubblewrap as 
setuid root by default since 0.4.1-3 (2021, shortly before Debian 11). 
It only needs to be setuid root if the 
/proc/sys/kernel/unprivileged_userns_clone sysctl is turned off, but 
that sysctl has been on-by-default since Debian 11.

In stable, obviously we should fix the vulnerability in case someone is 
still using it as setuid. I've reported this as RC out of an abundance 
of caution, but I'm not sure whether the security team will want to do 
this as a DSA or not - thoughts?

Upstream have now deprecated the ability to install bubblewrap as setuid 
root. In the 0.11.2 upstream release that fixes the vulnerability, 
there's a new compile-time option for whether to support setuid (off by 
default), and if it's disabled, bubblewrap will just refuse to run if it 
detects that it has been made setuid (real uid != effective uid). Future 
upstream releases are expected to remove the option, and make it 
unconditionally refuse to run setuid.

My intention is to make it refuse to be setuid in testing/unstable 
(probably one more upload with setuid-root discouraged but possible, and 
then the next upload after that will disable it altogether) but I think 
that's probably too much of a regression risk for stable.

    smcv