2393459 – CVE-2025-9566 podman: Podman kube play command may overwrite host files [fedora-43]

Bug 2393459 - CVE-2025-9566 podman: Podman kube play command may overwrite host files [fedora-43]

Summary: CVE-2025-9566 podman: Podman kube play command may overwrite host files [fedo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	podman
Sub Component:
Version:	43
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	{"flaws": ["0bd5c6da-c6fd-4461-afd1-7...
Depends On:	2393154
Blocks:	BetaFreezeException, F43BetaFreezeException F43FinalBlocker, FinalBlocker CVE-2025-9566
TreeView+	depends on / blocked

Reported:	2025-09-05 15:39 UTC by Lokesh Mandvekar
Modified:	2025-09-10 03:07 UTC (History)
CC List:	16 users (show)
Fixed In Version:	podman-5.6.1-1.fc43
Clone Of:	2393154
Environment:
Last Closed:	2025-09-10 03:07:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lokesh Mandvekar 2025-09-05 15:39:55 UTC

+++ This bug was initially created as a clone of Bug #2393154 +++

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams

--- Additional comment from Fedora Update System on 2025-09-05 10:29:41 EDT ---

FEDORA-2025-19f7dd07d9 (buildah-1.41.4-1.fc42, containers-common-0.64.2-1.fc42, and 1 more) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-19f7dd07d9

Comment 1 Fedora Update System 2025-09-05 15:42:09 UTC

FEDORA-2025-b93734b6b8 (buildah-1.41.4-1.fc43, containers-common-0.64.2-1.fc43, and 1 more) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b93734b6b8

Comment 2 Fedora Blocker Bugs Application 2025-09-05 15:42:28 UTC

Proposed as a Blocker for 43-beta by Fedora user lsm5 using the blocker tracking app because:

 High sev CVE for podman

Comment 3 Fedora Blocker Bugs Application 2025-09-05 15:42:54 UTC

Proposed as a Freeze Exception for 43-beta by Fedora user lsm5 using the blocker tracking app because:

 High sev CVE for podman

Comment 4 Lokesh Mandvekar 2025-09-05 15:43:46 UTC

please scratch the `blocker` proposal. Freeze exception should suffice AFAICT.

Comment 5 Adam Williamson 2025-09-05 21:01:39 UTC

CVEs are Final blockers by policy - https://fedoraproject.org/wiki/Fedora_43_Final_Release_Criteria#Security_bugs . Switching to Final blocker, Beta FE proposal.

Comment 6 Fedora Update System 2025-09-06 01:33:06 UTC

FEDORA-2025-b93734b6b8 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b93734b6b8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b93734b6b8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Adam Williamson 2025-09-06 18:03:53 UTC

+3 for Beta FE and Final blocker in https://pagure.io/fedora-qa/blocker-review/issue/1910 , marking accepted.

Comment 8 Fedora Update System 2025-09-10 03:07:56 UTC

FEDORA-2025-b93734b6b8 (buildah-1.41.4-1.fc43, containers-common-0.64.2-1.fc43, and 1 more) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.