Dear Security Team, I have prepared a fix for CVE-2026-44517 in golang-github-containers-buildah affecting trixie (testing).
This is a symlink-based path traversal in Buildah's build context handling (ADD/COPY instructions with malicious Git repos or tar archives). The vulnerability allows an attacker controlling the build context to write files outside the build directory via symlinks. Affected versions: - trixie (testing): 1.39.3+ds1-1 - unstable: 1.43.2+ds1-1 The fix backports upstream commit 54459cf8a which uses securejoin.SecureJoin for Git subdirectory resolution and os.OpenRoot for safe file writes in Dockerfile fallback paths. The source-only upload targets trixie-security with version 1.39.3+ds1-1+deb13u1. A debdiff is attached. You can also see the MR on salsa at https://salsa.debian.org/go-team/packages/golang-github-containers-buildah/-/merge_requests/4/diffs if that's easier for you to review and approve. Please let me know if you need anything else. Feel free to either upload to trixie-security yourself or ask me to do so. Thanks, -rt --<#part type="text/x-patch" filename="/b/golang-github-containers-buildah_1.39.3+ds1-1+deb13u1.debdiff" disposition=inline> <#/part>
