| Name | CVE-2019-25067 |
| Description | A vulnerability, which was classified as critical, was found in Podman and Varlink 1.5.1. This affects an unknown part of the component API. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-143949 was assigned to this vulnerability. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libpod (PTS) | bullseye | 3.0.1+dfsg1-3+deb11u5 | fixed |
| bookworm | 4.3.1+ds1-8 | fixed |
| sid, trixie | 4.9.4+ds1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| libpod | source | (unstable) | 3.0.0+dfsg1-1 | | | |
Notes
https://vuldb.com/?id.143949
https://www.exploit-db.com/exploits/47500
exploit demo script on client uses Python podman code which is not in Debian
refers to old versions of remote code which never made it to a Debian release
issue probably present in all versions with varlink, starting 1.6.2+dfsg-1
upstream (Fedora/RedHat) refuses to look into it: https://bugzilla.redhat.com/show_bug.cgi?id=2097496