[Pkg-utopia-maintainers] Bug#1134704: bubblewrap: CVE-2026-41163: Privilege escalation if setuid root, via ptrace
Moritz Mühlenhoff
jmm at inutil.org
Tue Apr 28 19:02:14 BST 2026
On Tue, Apr 28, 2026 at 11:59:56AM +0100, Simon McVittie wrote:
> On Thu, 23 Apr 2026 at 21:18:57 +0000, Moritz Mühlenhoff wrote:
> > I don't think [CVE-2026-41163] needs a DSA. The more you deviate from sensible
> > defaults, the more you need to look after your setup yourself.
>
> Thanks, I've proposed this as a trixie update instead.
>
> For security-tracker purposes, I think bullseye/bookworm can be marked
> as unaffected by this. These versions were too old to have the --overlay
> feature, so the only thing an attacker would have been able to do via
> ptrace that they couldn't already do via the command-line would be to
> make the privileged helper process call strlen(NULL) and crash itself,
> by tracing the main bubblewrap process and making it send an invalid
> PRIV_SEP_OP_SET_HOSTNAME request to the privileged process. That doesn't
> seem like a security problem.
Thanks, I've updated the Security Tracker.
Cheers,
Moritz
More information about the Pkg-utopia-maintainers
mailing list