| Name | CVE-2025-2713 |
| Description | Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allowed unprivileged users to access restricted files. This occurred because the process initially ran with root-like permissions until the first fork. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| golang-gvisor-gvisor (PTS) | bookworm | 0.0~20221219.0-2 | vulnerable |
| sid, trixie | 0.0~20240729.0-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| golang-gvisor-gvisor | source | (unstable) | 0.0~20240729.0-1 |
[bookworm] - golang-gvisor-gvisor <no-dsa> (Minor issue)
Fixed by: https://github.com/google/gvisor/commit/586c38d70081b13b2ed494cef48e99b93956843e (release-20240325.0)