| Name | CVE-2025-4953 |
| Description | A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1117966 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libpod (PTS) | bullseye | 3.0.1+dfsg1-3+deb11u5 | vulnerable |
| bookworm | 4.3.1+ds1-8+deb12u1 | vulnerable |
| podman (PTS) | trixie | 5.4.2+ds1-2 | fixed |
| forky, sid | 5.7.0+ds2-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| libpod | source | (unstable) | (unfixed) | | | |
| podman | source | (unstable) | 5.3.2+ds1-1 | | | 1117966 |
Notes
[bookworm] - libpod <no-dsa> (Minor issue)
[bullseye] - libpod <postponed> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2367235
Fixed in podman by bumping/tighening the dependency on buildah up to the
version fixing CVE-2024-11218 and CVE-2024-9675. This is tricky to track
properly as we need to bump the dependency and rebuild to address the issue.
Details in: https://bugs.debian.org/1117966#22