[Pkg-utopia-maintainers] Bug#1134704: bubblewrap: CVE-2026-41163: Privilege escalation if setuid root, via ptrace
Moritz Mühlenhoff
jmm at inutil.org
Thu Apr 23 22:18:57 BST 2026
On Thu, Apr 23, 2026 at 11:35:55AM +0100, Simon McVittie wrote:
> Package: bubblewrap
> Version: 0.11.0-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
> A significant mitigation is that Debian hasn't installed bubblewrap as
> setuid root by default since 0.4.1-3 (2021, shortly before Debian 11).
> It only needs to be setuid root if the
> /proc/sys/kernel/unprivileged_userns_clone sysctl is turned off, but
> that sysctl has been on-by-default since Debian 11.
>
> In stable, obviously we should fix the vulnerability in case someone is
> still using it as setuid. I've reported this as RC out of an abundance
> of caution, but I'm not sure whether the security team will want to do
> this as a DSA or not - thoughts?
I don't think this needs a DSA. The more you deviate from sensible
defaults, the more you need to look after your setup yourself.
Disabled unprivileged user namespaces have many legit use cases,
but certainly not for a desktop workloads.
Cheers,
Moritz
More information about the Pkg-utopia-maintainers
mailing list