[pkg-go] Bug#1117966: Fwd: Bug#1117966: podman: CVE-2025-4953
Tom Sweeney
tom.sweeney at redhat.com
Wed Dec 3 22:31:15 GMT 2025
Hi Reinhard, Salvatore and others,
The fix for CVE-2025-4953 for Podman was tightly entwined with the
fixes for CVE-2024-11218 and CVE-2024-9675, and we fixed both CVEs with
one PR in Podman v4.2 and neglected to do a good job noting that
upstream. We'd actually unknowingly fixed CVE-2025-4953 with fixes for
the other two CVEs in Buildah.
So in the Podman v4.2-rhel fix, the PR that fixed this was:
https://github.com/containers/podman/pull/25173 and our Jira card, which
I think you can get to is:
https://issues.redhat.com/browse/RHEL-113900. I've added a note to the
GitHub PR to include CVE-2025-4953 in my last comment, apologies for
neglecting that earlier.
In Buildah, the fixes for CVE-2024-9675 got in as a bonus with
"[release-1.27] Properly validate cache IDs and sources" -
https://github.com/containers/buildah/pull/5797 and then "Backport fix
forCVE-2024-11218 <https://github.com/advisories/GHSA-5vpc-35f4-r8w6>" -
https://github.com/containers/buildah/pull/5946, both of which were part
of Buildah v1.27.6 which was then vendored into Podman 4.2-rhel as noted
above.
I've attempted to add you to our internal test plan document for
CVE-2025-4953
(https://docs.google.com/document/d/1n7qtou8kfxwaeWM2fJv2LsgLCM8Y51aBxPo5ZxzKQf8/edit?tab=t.0)
in case that is all helpful.
Best Wishes,
t
On 12/3/25 2:36 PM, Paul Holzinger wrote:
>
> Hi Tom, Nalin,
>
> Not sure someone replied directly already or I missed some email but
> if not could one of you reply to Reinhard and help him out with the
> CVE details.
>
> I cannot see any references in the upstream repo about CVE-2025-4953
> and the CVE tracker itself doesn't mention any patches or affected
> version either which seems quite odd to me.
>
> Thanks
> Paul
>
>
>
> -------- Forwarded Message --------
> Subject: Re: Bug#1117966: podman: CVE-2025-4953
> Date: Mon, 01 Dec 2025 06:36:29 -0500
> From: Reinhard Tartler <siretart at tauware.de>
> To: Salvatore Bonaccorso <carnil at debian.org>, 1117966 at bugs.debian.org
> CC: Nalin Dahyabhai <nalin at redhat.com>, Paul Holzinger
> <pholzing at redhat.com>, Matt Heon <mheon at redhat.com>
>
>
>
> Control: tag -1 help moreinfo
>
> Salvatore Bonaccorso <carnil at debian.org> writes:
>
>> The following vulnerability was published for podman.
>>
>> CVE-2025-4953[0]:
>> | A flaw was found in Podman. In a Containerfile or Podman, data
>> | written to RUN --mount=type=bind mounts during the podman build is
>> | not discarded. This issue can lead to files created within the
>> | container appearing in the temporary build context directory on the
>> | host, leaving the created files accessible.
>>
>> There is not much information (or at least I have not found it),
>> neither in github issues or pull requests. The only reference we have
>> is right now the Red Hat bugzilla entry referring to an issue
>> import[1]. Could you try to find out more on it?
>
>> For further information see:
>> [0] https://security-tracker.debian.org/tracker/CVE-2025-4953
>> https://www.cve.org/CVERecord?id=CVE-2025-4953
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2367235
>
> Here is what I found so far:
>
> https://github.com/advisories/GHSA-m68q-4hqr-mc6f
>
> This points to https://github.com/containers/podman/pull/25173 which
> indicates that the code fix was actually in buildah:
> https://github.com/containers/buildah/releases/tag/v1.27.6
>
> This in turn has the following release notes:
>
> | What's Changed
> | [release-1.27] Properly validate cache IDs and sources by @dashea in
> #5797
> | [release-1.27] Backport fix for CVE-2024-11218 by @dashea in #5946
> | [release-1.27] Bump to 1.27.6 by @dashea in #5958
> |
> The PR #5797 has the following description:
>
> | What this PR does / why we need it:
> | Backport fix for CVE-2024-9675 to release-1.27 branch
> | | How to verify it
> | Test included in PR
> | | Which issue(s) this PR fixes:
> | https://issues.redhat.com/browse/RHEL-62385
> | https://issues.redhat.com/browse/RHEL-62376
>
> Which seems to be yet another issue. It seems upstream claims that that
> CVE-2025-4953 was fixed by the code changes that addres CVE-2024-11218
> and CVE-2024-9675.
>
> Fix for CVE-2024-9675:
> https://github.com/containers/buildah/commit/aa67e5d71ee7ec07122a210baa3b13966a9e086c
> Fix for CVE-2024-11218:
> https://github.com/containers/buildah/commit/9ddac02a5167a5be81ce344b178fa8585008cb0e
>
> The latter has the following commit message:
>
> | Fix TOCTOU error when bind and cache mounts use "src" values
> | Fix a time-of-check/time-of-use error when mounting type=bind and
> | type=cache directories that use a "src" flag. A hostile writer could
> | use a concurrently-running stage or build to replace that "src" location
> | between the point when we had resolved possible symbolic links and when
> | runc/crun/whatever actually went to create the bind mount
> | (CVE-2024-11218).
> | | Stop ignoring the "src" option for cache mounts when there's no "from"
> | option.
>
> I'm copying some friends from Redhat to verify my thinking and double
> checking that CVE-2025-4953 is not something that "fell through the
> cracks". What makes me a bit nervous is that it was reported much later
> (October 2025) than the fixes landed (January 2025, and October 2024).
>
> So if my analysis above is correct, I'd reassign it to the buildah
> package in Debian and declare victory. Otherwise we need to verify that
> this issue has indeed been addressed upstream and identify the corrct
> commit so that I can integrate it into the Debian packages, potentially
> in Debian stable.
>
> Thank you for making it so far, and let me know what I missed.
>
> Best,
> -rt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-go-maintainers/attachments/20251203/66f5f100/attachment-0001.htm>
More information about the Pkg-go-maintainers
mailing list