[Pkg-utopia-maintainers] Bug#1134704: bubblewrap: CVE-2026-41163: Privilege escalation if setuid root, via ptrace
Simon McVittie
smcv at debian.org
Tue Apr 28 11:59:56 BST 2026
On Thu, 23 Apr 2026 at 21:18:57 +0000, Moritz Mühlenhoff wrote:
>I don't think [CVE-2026-41163] needs a DSA. The more you deviate from sensible
>defaults, the more you need to look after your setup yourself.
Thanks, I've proposed this as a trixie update instead.
For security-tracker purposes, I think bullseye/bookworm can be marked
as unaffected by this. These versions were too old to have the --overlay
feature, so the only thing an attacker would have been able to do via
ptrace that they couldn't already do via the command-line would be to
make the privileged helper process call strlen(NULL) and crash itself,
by tracing the main bubblewrap process and making it send an invalid
PRIV_SEP_OP_SET_HOSTNAME request to the privileged process. That doesn't
seem like a security problem.
smcv
More information about the Pkg-utopia-maintainers
mailing list