<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi Reinhard, Salvatore and others,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"> The fix for CVE-2025-4953 for
Podman was tightly entwined with the fixes for CVE-2024-11218 and
CVE-2024-9675, and we fixed both CVEs with one PR in Podman v4.2
and neglected to do a good job noting that upstream. We'd
actually unknowingly fixed CVE-2025-4953 with fixes for the other
two CVEs in Buildah. <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"> So in the Podman v4.2-rhel fix, the
PR that fixed this was:
<a class="moz-txt-link-freetext" href="https://github.com/containers/podman/pull/25173">https://github.com/containers/podman/pull/25173</a> and our Jira card,
which I think you can get to is:
<a class="moz-txt-link-freetext" href="https://issues.redhat.com/browse/RHEL-113900">https://issues.redhat.com/browse/RHEL-113900</a>. I've added a note
to the GitHub PR to include CVE-2025-4953 in my last comment,
apologies for neglecting that earlier.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"> In Buildah, the fixes for
CVE-2024-9675 got in as a bonus with <span
style="color: rgb(31, 35, 40); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">"[release-1.27]
Properly validate cache IDs and sources</span>" -
<a class="moz-txt-link-freetext" href="https://github.com/containers/buildah/pull/5797">https://github.com/containers/buildah/pull/5797</a> and then "<span
style="color: rgb(31, 35, 40); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Backport
fix for<span> </span></span><a title="CVE-2024-11218"
data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-5vpc-35f4-r8w6/hovercard"
href="https://github.com/advisories/GHSA-5vpc-35f4-r8w6"
aria-keyshortcuts="Alt+ArrowUp"
style="box-sizing: border-box; background-color: rgb(255, 255, 255); color: rgb(9, 105, 218); text-decoration: underline; text-underline-offset: 0.2rem; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal;">CVE-2024-11218</a><span
style="color: rgb(31, 35, 40); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><span>
" - <a class="moz-txt-link-freetext" href="https://github.com/containers/buildah/pull/5946">https://github.com/containers/buildah/pull/5946</a>, both of
which were part of Buildah v1.27.6 which was then vendored
into Podman 4.2-rhel as noted above.</span></span></div>
<div class="moz-cite-prefix"><span
style="color: rgb(31, 35, 40); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><span><br>
</span></span></div>
<div class="moz-cite-prefix"><span
style="color: rgb(31, 35, 40); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><span>
I've attempted to add you to our internal test plan document
for CVE-2025-4953
(<a class="moz-txt-link-freetext" href="https://docs.google.com/document/d/1n7qtou8kfxwaeWM2fJv2LsgLCM8Y51aBxPo5ZxzKQf8/edit?tab=t.0">https://docs.google.com/document/d/1n7qtou8kfxwaeWM2fJv2LsgLCM8Y51aBxPo5ZxzKQf8/edit?tab=t.0</a>)
in case that is all helpful.</span></span></div>
<div class="moz-cite-prefix"><span
style="color: rgb(31, 35, 40); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><span><br>
</span></span></div>
<div class="moz-cite-prefix"><span
style="color: rgb(31, 35, 40); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><span>
Best Wishes,</span></span></div>
<div class="moz-cite-prefix"><span
style="color: rgb(31, 35, 40); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><span><br>
</span></span></div>
<div class="moz-cite-prefix"><span
style="color: rgb(31, 35, 40); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><span>
t<br>
</span></span></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"> <br>
</div>
<div class="moz-cite-prefix">On 12/3/25 2:36 PM, Paul Holzinger
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9c291429-ece1-41b1-a34e-2fe0194a9983@redhat.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hi Tom, Nalin,</p>
<p>Not sure someone replied directly already or I missed some
email but if not could one of you reply to Reinhard and help him
out with the CVE details.</p>
<p>I cannot see any references in the upstream repo
about CVE-2025-4953 and the CVE tracker itself doesn't mention
any patches or affected version either which seems quite odd to
me.</p>
<p>Thanks<br>
Paul</p>
<div class="moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table cellpadding="0" cellspacing="0" border="0"
class="moz-email-headers-table">
<tbody>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">Subject:
</th>
<td>Re: Bug#1117966: podman: CVE-2025-4953</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">Date:
</th>
<td>Mon, 01 Dec 2025 06:36:29 -0500</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">From:
</th>
<td>Reinhard Tartler <a class="moz-txt-link-rfc2396E"
href="mailto:siretart@tauware.de"
moz-do-not-send="true"><siretart@tauware.de></a></td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">To: </th>
<td>Salvatore Bonaccorso <a class="moz-txt-link-rfc2396E"
href="mailto:carnil@debian.org" moz-do-not-send="true"><carnil@debian.org></a>,
<a
class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:1117966@bugs.debian.org"
moz-do-not-send="true">1117966@bugs.debian.org</a></td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap">CC: </th>
<td>Nalin Dahyabhai <a class="moz-txt-link-rfc2396E"
href="mailto:nalin@redhat.com" moz-do-not-send="true"><nalin@redhat.com></a>,
Paul Holzinger <a class="moz-txt-link-rfc2396E"
href="mailto:pholzing@redhat.com"
moz-do-not-send="true"><pholzing@redhat.com></a>,
Matt Heon <a class="moz-txt-link-rfc2396E"
href="mailto:mheon@redhat.com" moz-do-not-send="true"><mheon@redhat.com></a></td>
</tr>
</tbody>
</table>
<br>
<br>
Control: tag -1 help moreinfo<br>
<br>
Salvatore Bonaccorso <a class="moz-txt-link-rfc2396E"
href="mailto:carnil@debian.org" moz-do-not-send="true"><carnil@debian.org></a>
writes:<br>
<br>
<blockquote type="cite">The following vulnerability was
published for podman.<br>
<br>
CVE-2025-4953[0]:<br>
| A flaw was found in Podman. In a Containerfile or Podman,
data<br>
| written to RUN --mount=type=bind mounts during the podman
build is<br>
| not discarded. This issue can lead to files created within
the<br>
| container appearing in the temporary build context directory
on the<br>
| host, leaving the created files accessible.<br>
<br>
There is not much information (or at least I have not found
it),<br>
neither in github issues or pull requests. The only reference
we have<br>
is right now the Red Hat bugzilla entry referring to an issue<br>
import[1]. Could you try to find out more on it?<br>
</blockquote>
<br>
<blockquote type="cite">For further information see:<br>
[0] <a class="moz-txt-link-freetext"
href="https://security-tracker.debian.org/tracker/CVE-2025-4953"
moz-do-not-send="true">https://security-tracker.debian.org/tracker/CVE-2025-4953</a><br>
<a class="moz-txt-link-freetext"
href="https://www.cve.org/CVERecord?id=CVE-2025-4953"
moz-do-not-send="true">https://www.cve.org/CVERecord?id=CVE-2025-4953</a><br>
[1] <a class="moz-txt-link-freetext"
href="https://bugzilla.redhat.com/show_bug.cgi?id=2367235"
moz-do-not-send="true">https://bugzilla.redhat.com/show_bug.cgi?id=2367235</a><br>
</blockquote>
<br>
Here is what I found so far:<br>
<br>
<a class="moz-txt-link-freetext"
href="https://github.com/advisories/GHSA-m68q-4hqr-mc6f"
moz-do-not-send="true">https://github.com/advisories/GHSA-m68q-4hqr-mc6f</a><br>
<br>
This points to <a class="moz-txt-link-freetext"
href="https://github.com/containers/podman/pull/25173"
moz-do-not-send="true">https://github.com/containers/podman/pull/25173</a>
which<br>
indicates that the code fix was actually in buildah:<br>
<a class="moz-txt-link-freetext"
href="https://github.com/containers/buildah/releases/tag/v1.27.6"
moz-do-not-send="true">https://github.com/containers/buildah/releases/tag/v1.27.6</a><br>
<br>
This in turn has the following release notes:<br>
<br>
| What's Changed<br>
| [release-1.27] Properly validate cache IDs and sources by
@dashea in #5797<br>
| [release-1.27] Backport fix for CVE-2024-11218 by @dashea in
#5946<br>
| [release-1.27] Bump to 1.27.6 by @dashea in #5958<br>
| <br>
The PR #5797 has the following description:<br>
<br>
| What this PR does / why we need it:<br>
| Backport fix for CVE-2024-9675 to release-1.27 branch<br>
| | How to verify it<br>
| Test included in PR<br>
| | Which issue(s) this PR fixes:<br>
| <a class="moz-txt-link-freetext"
href="https://issues.redhat.com/browse/RHEL-62385"
moz-do-not-send="true">https://issues.redhat.com/browse/RHEL-62385</a><br>
| <a class="moz-txt-link-freetext"
href="https://issues.redhat.com/browse/RHEL-62376"
moz-do-not-send="true">https://issues.redhat.com/browse/RHEL-62376</a><br>
<br>
Which seems to be yet another issue. It seems upstream claims
that that<br>
CVE-2025-4953 was fixed by the code changes that addres
CVE-2024-11218<br>
and CVE-2024-9675.<br>
<br>
Fix for CVE-2024-9675:
<a class="moz-txt-link-freetext"
href="https://github.com/containers/buildah/commit/aa67e5d71ee7ec07122a210baa3b13966a9e086c"
moz-do-not-send="true">https://github.com/containers/buildah/commit/aa67e5d71ee7ec07122a210baa3b13966a9e086c</a><br>
Fix for CVE-2024-11218:
<a class="moz-txt-link-freetext"
href="https://github.com/containers/buildah/commit/9ddac02a5167a5be81ce344b178fa8585008cb0e"
moz-do-not-send="true">https://github.com/containers/buildah/commit/9ddac02a5167a5be81ce344b178fa8585008cb0e</a><br>
<br>
The latter has the following commit message:<br>
<br>
| Fix TOCTOU error when bind and cache mounts use "src" values<br>
| Fix a time-of-check/time-of-use error when mounting type=bind
and<br>
| type=cache directories that use a "src" flag. A hostile writer
could<br>
| use a concurrently-running stage or build to replace that
"src" location<br>
| between the point when we had resolved possible symbolic links
and when<br>
| runc/crun/whatever actually went to create the bind mount<br>
| (CVE-2024-11218).<br>
| | Stop ignoring the "src" option for cache mounts when there's
no "from"<br>
| option.<br>
<br>
I'm copying some friends from Redhat to verify my thinking and
double<br>
checking that CVE-2025-4953 is not something that "fell through
the<br>
cracks". What makes me a bit nervous is that it was reported
much later<br>
(October 2025) than the fixes landed (January 2025, and October
2024).<br>
<br>
So if my analysis above is correct, I'd reassign it to the
buildah<br>
package in Debian and declare victory. Otherwise we need to
verify that<br>
this issue has indeed been addressed upstream and identify the
corrct<br>
commit so that I can integrate it into the Debian packages,
potentially<br>
in Debian stable.<br>
<br>
Thank you for making it so far, and let me know what I missed.<br>
<br>
Best,<br>
-rt<br>
<br>
</div>
</blockquote>
<p><br>
</p>
</body>
</html>