| Name | CVE-2019-25067 |
| Description | A vulnerability, which was classified as critical, was found in Podman and Varlink 1.5.1. This affects an unknown part of the component API. The manipulation leads to Privilege Escalation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libpod (PTS) | bullseye | 3.0.1+dfsg1-3+deb11u1 | fixed |
| bookworm, sid | 3.4.7+ds1-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| libpod | source | (unstable) | 3.0.0+dfsg1-1 | | | |
Notes
https://vuldb.com/?id.143949
https://www.exploit-db.com/exploits/47500
exploit demo script on client uses Python podman code which is not in Debian
refers to old versions of remote code which never made it to a Debian release
issue probably present in all versions with varlink, starting 1.6.2+dfsg-1
upstream (Fedora/RedHat) refuses to look into it: https://bugzilla.redhat.com/show_bug.cgi?id=2097496