[pkg-go] Bug#1117966: podman: CVE-2025-4953

Mon Dec 1 11:36:29 GMT 2025

Control: tag -1 help moreinfo

Salvatore Bonaccorso <carnil at debian.org> writes:

> The following vulnerability was published for podman.
>
> CVE-2025-4953[0]:
> | A flaw was found in Podman. In a Containerfile or Podman, data
> | written to RUN --mount=type=bind mounts during the podman build is
> | not discarded. This issue can lead to files created within the
> | container appearing in the temporary build context directory on the
> | host, leaving the created files accessible.
>
> There is not much information (or at least I have not found it),
> neither in github issues or pull requests. The only reference we have
> is right now the Red Hat bugzilla entry referring to an issue
> import[1]. Could you try to find out more on it?

> For further information see:
> [0] https://security-tracker.debian.org/tracker/CVE-2025-4953
>     https://www.cve.org/CVERecord?id=CVE-2025-4953
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2367235

Here is what I found so far:

https://github.com/advisories/GHSA-m68q-4hqr-mc6f

This points to https://github.com/containers/podman/pull/25173 which
indicates that the code fix was actually in buildah:
https://github.com/containers/buildah/releases/tag/v1.27.6

This in turn has the following release notes:

 | What's Changed
 | [release-1.27] Properly validate cache IDs and sources by @dashea in #5797
 | [release-1.27] Backport fix for CVE-2024-11218 by @dashea in #5946
 | [release-1.27] Bump to 1.27.6 by @dashea in #5958
 | 

The PR #5797 has the following description:

 | What this PR does / why we need it:
 |   Backport fix for CVE-2024-9675 to release-1.27 branch
 | 
 | How to verify it
 |   Test included in PR
 | 
 | Which issue(s) this PR fixes:
 |   https://issues.redhat.com/browse/RHEL-62385
 |   https://issues.redhat.com/browse/RHEL-62376

Which seems to be yet another issue. It seems upstream claims that that
CVE-2025-4953 was fixed by the code changes that addres CVE-2024-11218
and CVE-2024-9675.

Fix for CVE-2024-9675: https://github.com/containers/buildah/commit/aa67e5d71ee7ec07122a210baa3b13966a9e086c
Fix for CVE-2024-11218: https://github.com/containers/buildah/commit/9ddac02a5167a5be81ce344b178fa8585008cb0e

The latter has the following commit message:

 | Fix TOCTOU error when bind and cache mounts use "src" values
 | Fix a time-of-check/time-of-use error when mounting type=bind and
 | type=cache directories that use a "src" flag.  A hostile writer could
 | use a concurrently-running stage or build to replace that "src" location
 | between the point when we had resolved possible symbolic links and when
 | runc/crun/whatever actually went to create the bind mount
 | (CVE-2024-11218).
 | 
 | Stop ignoring the "src" option for cache mounts when there's no "from"
 | option.

I'm copying some friends from Redhat to verify my thinking and double
checking that CVE-2025-4953 is not something that "fell through the
cracks". What makes me a bit nervous is that it was reported much later
(October 2025) than the fixes landed (January 2025, and October 2024).

So if my analysis above is correct, I'd reassign it to the buildah
package in Debian and declare victory. Otherwise we need to verify that
this issue has indeed been addressed upstream and identify the corrct
commit so that I can integrate it into the Debian packages, potentially
in Debian stable.

Thank you for making it so far, and let me know what I missed.

Best,
-rt