Hi Reinhard, On Sun, Jun 28, 2026 at 03:39:12AM -0400, Reinhard Tartler wrote: > Dear Security Team, > > I have prepared a fix for CVE-2026-44517 in > golang-github-containers-buildah affecting trixie (testing). > > This is a symlink-based path traversal in Buildah's build context > handling (ADD/COPY instructions with malicious Git repos or tar > archives). The vulnerability allows an attacker controlling the build > context to write files outside the build directory via symlinks. > > Affected versions: > - trixie (testing): 1.39.3+ds1-1 > - unstable: 1.43.2+ds1-1 > > The fix backports upstream commit 54459cf8a which uses > securejoin.SecureJoin for Git subdirectory resolution and > os.OpenRoot for safe file writes in Dockerfile fallback paths. > > The source-only upload targets trixie-security with version > 1.39.3+ds1-1+deb13u1. A debdiff is attached. You can also see the MR on salsa > at > https://salsa.debian.org/go-team/packages/golang-github-containers-buildah/-/merge_requests/4/diffs > if that's easier for you to review and approve. > > Please let me know if you need anything else. Feel free to either upload to > trixie-security yourself or ask me to do so.
Given this will require as well a rebuild of podman (at least, right?) I would suggest you make a point release update which is now anyway right around the corner: https://release.debian.org/#point-releases Can you fix thus buildah fist fo the point releases and ask for the required packages to be rebuild which need it? Regards, Salvatore
