[Pkg-utopia-maintainers] Bug#1134965: trixie-pu: package bubblewrap/0.11.0-2+deb13u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: bubblewrap at packages.debian.org
Control: affects -1 + src:bubblewrap
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]

Fix CVE-2026-41163, a privilege escalation vulnerability in the 
deprecated configuration where /usr/bin/bwrap is setuid root

[ Impact ]

If the local sysadmin has manually set /usr/bin/bwrap to be setuid root 
(normally via dpkg-statoverride), a malicious local user could use it to 
mount overlayfs filesystems in their containers' filesystems, and 
perhaps make use of that ability to carry out other attacks.

In practice a sysadmin would likely only do this if they have configured 
their kernel to reject attempts to create user namespaces in 
unprivileged processes (like the Debian 10 kernel did). Many Flatpak 
apps will already not work as intended in this setup, because they 
require features that bubblewrap only exposes when it is unprivileged.

[ Tests ]

The proposed bubblewrap can still run Flatpak apps on a Debian 13 GNOME 
desktop (tried Discord in the normal configuration where bubblewrap is 
unprivileged, and GNOME Nibbles in the deprecated configuration where 
bwrap is setuid root).

[ Risks ]

A straightforward backport from bubblewrap 0.11.2-1 in unstable, which 
is not yet in testing but should get there next week.

In particular I decided to leave the setuid-root configuration as still 
possible in Debian 13, to minimize regression risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

All changes are part of fixing CVE-2026-41163. Strictly speaking the 
second patch 
debian/patches/CVE-2026-41163/fix-harden-privsep-parent-against-unexpected-operations.patch 
is only hardening rather than being strictly required (those checks 
should never fail if the first patch has worked as intended), but it's 
rather simple.

[ Other info ]

The security team declined to do a DSA for this, on the basis that the 
deprecated configuration no longer makes sense for desktop workloads 
in Debian >= 11, and users of a non-default security posture are 
responsible for the consequences of their choices.

After bubblewrap 0.11.2-1 has migrated to testing, I intend to swap the 
value of its new -Dsupport_setuid option so that /usr/bin/bwrap will 
refuse to run if it detects setuid (or more precisely, euid != uid). 
Similarly, upstream plans to remove that option in 0.12.0 so that newer 
bwrap releases will unconditionally refuse to run setuid.

As a result, the deprecated setup will likely no longer be possible in 
Debian 14, preventing vulnerabilities like this one.