Bug 2393459

Summary: CVE-2025-9566 podman: Podman kube play command may overwrite host files [fedora-43]
Product: [Fedora] Fedora Reporter: Lokesh Mandvekar <lsm5>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 43CC: awilliam, bbaude, debarshir, dwalsh, extras-qa, go-sig, jnovy, lsm5, mbenatto, mboddu, mheon, nsella, patrick, pholzing, robatino, suraj.ghimire7
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["0bd5c6da-c6fd-4461-afd1-720a2be2e321"]} AcceptedBlocker AcceptedFreezeException
Fixed In Version: podman-5.6.1-1.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: 2393154 Environment:
Last Closed: 2025-09-10 03:07:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2393154    
Bug Blocks: 2393152, 2324224, 2324225    

Description Lokesh Mandvekar 2025-09-05 15:39:55 UTC 
+++ This bug was initially created as a clone of Bug #2393154 +++

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams

--- Additional comment from Fedora Update System on 2025-09-05 10:29:41 EDT ---

FEDORA-2025-19f7dd07d9 (buildah-1.41.4-1.fc42, containers-common-0.64.2-1.fc42, and 1 more) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-19f7dd07d9
Comment 1 Fedora Update System 2025-09-05 15:42:09 UTC 
FEDORA-2025-b93734b6b8 (buildah-1.41.4-1.fc43, containers-common-0.64.2-1.fc43, and 1 more) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b93734b6b8
Comment 2 Fedora Blocker Bugs Application 2025-09-05 15:42:28 UTC 
Proposed as a Blocker for 43-beta by Fedora user lsm5 using the blocker tracking app because:

 High sev CVE for podman
Comment 3 Fedora Blocker Bugs Application 2025-09-05 15:42:54 UTC 
Proposed as a Freeze Exception for 43-beta by Fedora user lsm5 using the blocker tracking app because:

 High sev CVE for podman
Comment 4 Lokesh Mandvekar 2025-09-05 15:43:46 UTC 
please scratch the `blocker` proposal. Freeze exception should suffice AFAICT.
Comment 5 Adam Williamson 2025-09-05 21:01:39 UTC 
CVEs are Final blockers by policy - https://fedoraproject.org/wiki/Fedora_43_Final_Release_Criteria#Security_bugs . Switching to Final blocker, Beta FE proposal.
Comment 6 Fedora Update System 2025-09-06 01:33:06 UTC 
FEDORA-2025-b93734b6b8 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b93734b6b8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b93734b6b8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Adam Williamson 2025-09-06 18:03:53 UTC 
+3 for Beta FE and Final blocker in https://pagure.io/fedora-qa/blocker-review/issue/1910 , marking accepted.
Comment 8 Fedora Update System 2025-09-10 03:07:56 UTC 
FEDORA-2025-b93734b6b8 (buildah-1.41.4-1.fc43, containers-common-0.64.2-1.fc43, and 1 more) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.