Hi Reinhard, Salvatore and others,
The fix for CVE-2025-4953 for Podman was tightly entwined with the
fixes for CVE-2024-11218 and CVE-2024-9675, and we fixed both CVEs with
one PR in Podman v4.2 and neglected to do a good job noting that
upstream. We'd actually unknowingly fixed CVE-2025-4953 with fixes for
the other two CVEs in Buildah.
So in the Podman v4.2-rhel fix, the PR that fixed this was:
https://github.com/containers/podman/pull/25173 and our Jira card, which
I think you can get to is:
https://issues.redhat.com/browse/RHEL-113900. I've added a note to the
GitHub PR to include CVE-2025-4953 in my last comment, apologies for
neglecting that earlier.
In Buildah, the fixes for CVE-2024-9675 got in as a bonus with
"[release-1.27] Properly validate cache IDs and sources" -
https://github.com/containers/buildah/pull/5797 and then "Backport fix
forCVE-2024-11218 <https://github.com/advisories/GHSA-5vpc-35f4-r8w6>" -
https://github.com/containers/buildah/pull/5946, both of which were part
of Buildah v1.27.6 which was then vendored into Podman 4.2-rhel as noted
above.
I've attempted to add you to our internal test plan document for
CVE-2025-4953
(https://docs.google.com/document/d/1n7qtou8kfxwaeWM2fJv2LsgLCM8Y51aBxPo5ZxzKQf8/edit?tab=t.0)
in case that is all helpful.
Best Wishes,
t
On 12/3/25 2:36 PM, Paul Holzinger wrote:
Hi Tom, Nalin,
Not sure someone replied directly already or I missed some email but
if not could one of you reply to Reinhard and help him out with the
CVE details.
I cannot see any references in the upstream repo about CVE-2025-4953
and the CVE tracker itself doesn't mention any patches or affected
version either which seems quite odd to me.
Thanks
Paul
-------- Forwarded Message --------
Subject: Re: Bug#1117966: podman: CVE-2025-4953
Date: Mon, 01 Dec 2025 06:36:29 -0500
From: Reinhard Tartler <[email protected]>
To: Salvatore Bonaccorso <[email protected]>, [email protected]
CC: Nalin Dahyabhai <[email protected]>, Paul Holzinger
<[email protected]>, Matt Heon <[email protected]>
Control: tag -1 help moreinfo
Salvatore Bonaccorso <[email protected]> writes:
The following vulnerability was published for podman.
CVE-2025-4953[0]:
| A flaw was found in Podman. In a Containerfile or Podman, data
| written to RUN --mount=type=bind mounts during the podman build is
| not discarded. This issue can lead to files created within the
| container appearing in the temporary build context directory on the
| host, leaving the created files accessible.
There is not much information (or at least I have not found it),
neither in github issues or pull requests. The only reference we have
is right now the Red Hat bugzilla entry referring to an issue
import[1]. Could you try to find out more on it?
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4953
https://www.cve.org/CVERecord?id=CVE-2025-4953
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2367235
Here is what I found so far:
https://github.com/advisories/GHSA-m68q-4hqr-mc6f
This points to https://github.com/containers/podman/pull/25173 which
indicates that the code fix was actually in buildah:
https://github.com/containers/buildah/releases/tag/v1.27.6
This in turn has the following release notes:
| What's Changed
| [release-1.27] Properly validate cache IDs and sources by @dashea in
#5797
| [release-1.27] Backport fix for CVE-2024-11218 by @dashea in #5946
| [release-1.27] Bump to 1.27.6 by @dashea in #5958
|
The PR #5797 has the following description:
| What this PR does / why we need it:
| Backport fix for CVE-2024-9675 to release-1.27 branch
| | How to verify it
| Test included in PR
| | Which issue(s) this PR fixes:
| https://issues.redhat.com/browse/RHEL-62385
| https://issues.redhat.com/browse/RHEL-62376
Which seems to be yet another issue. It seems upstream claims that that
CVE-2025-4953 was fixed by the code changes that addres CVE-2024-11218
and CVE-2024-9675.
Fix for CVE-2024-9675:
https://github.com/containers/buildah/commit/aa67e5d71ee7ec07122a210baa3b13966a9e086c
Fix for CVE-2024-11218:
https://github.com/containers/buildah/commit/9ddac02a5167a5be81ce344b178fa8585008cb0e
The latter has the following commit message:
| Fix TOCTOU error when bind and cache mounts use "src" values
| Fix a time-of-check/time-of-use error when mounting type=bind and
| type=cache directories that use a "src" flag. A hostile writer could
| use a concurrently-running stage or build to replace that "src" location
| between the point when we had resolved possible symbolic links and when
| runc/crun/whatever actually went to create the bind mount
| (CVE-2024-11218).
| | Stop ignoring the "src" option for cache mounts when there's no "from"
| option.
I'm copying some friends from Redhat to verify my thinking and double
checking that CVE-2025-4953 is not something that "fell through the
cracks". What makes me a bit nervous is that it was reported much later
(October 2025) than the fixes landed (January 2025, and October 2024).
So if my analysis above is correct, I'd reassign it to the buildah
package in Debian and declare victory. Otherwise we need to verify that
this issue has indeed been addressed upstream and identify the corrct
commit so that I can integrate it into the Debian packages, potentially
in Debian stable.
Thank you for making it so far, and let me know what I missed.
Best,
-rt
