All errata/c10f2/ALT-PU-2025-6974-7
ALT-PU-2025-6974-7

Package update podman in branch c10f2

Version5.4.2-alt0.p10
Task#384573
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (14)

BDU:2024-09320
MEDIUM4.4

Уязвимость инструмента управления контейнерными образами Buildah, существующая из-за неверного ограничения имени пути к каталогу с ограниченным доступом, позволяющая нарушителю пользователю повысить привилегии в системе

Published: 2024-11-13Modified: 2026-03-04
CVSS 3.xMEDIUM 4.4
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0LOW 3.2
CVSS:2.0/AV:L/AC:L/Au:S/C:P/I:P/A:N
References
BDU:2024-09457
MEDIUM6.5

Уязвимость программного средства управления и запуска OCI-контейнеров Podman, связанная с неправильным ограничением имени пути к ограниченному каталогу, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-11-14Modified: 2026-03-04
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C
References
BDU:2024-09460
MEDIUM4.7

Уязвимость программного средства управления и запуска OCI-контейнеров Podman, связанная с неправильной проверкой входных данных, позволяющая нарушителю получить доступ к конфиденциальной информации

Published: 2024-11-14Modified: 2026-03-04
CVSS 3.xMEDIUM 4.7
CVSS:3.x/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
CVSS 2.0MEDIUM 4.4
CVSS:2.0/AV:L/AC:H/Au:M/C:C/I:P/A:N
References
BDU:2024-09461
MEDIUM5.4

Уязвимость библиотеки containers-common языка программирования Golang, связанная с неправильным разрешением ссылки перед доступом к файлу, позволяющая нарушителю получить доступ к конфиденциальной информации

Published: 2024-11-14Modified: 2026-03-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CVSS 2.0MEDIUM 5.6
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:P/A:N
References
BDU:2024-09773
HIGH7.7

Уязвимость программного средства управления и запуска OCI-контейнеров Podman, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-11-18Modified: 2025-06-20
CVSS 3.xHIGH 7.7
CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:H
CVSS 2.0MEDIUM 6.6
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:N/A:C
References
CVE-2024-3056
HIGH7.7

A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container's cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as `podman run --restart=always`, this can result in a memory-based denial of service of the system.

Published: 2024-08-02Modified: 2024-12-27
CVSS 3.xHIGH 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:H
References
CVE-2024-9341
HIGH8.2

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

Published: 2024-10-01Modified: 2024-12-11
CVSS 3.xHIGH 8.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
References
CVE-2024-9407
MEDIUM4.7

A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.

Published: 2024-10-01Modified: 2026-04-15
CVSS 3.xMEDIUM 4.7
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
References
CVE-2024-9675
MEDIUM4.4

A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

Published: 2024-10-09Modified: 2025-08-25
CVSS 3.xMEDIUM 4.4
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2024-9676
MEDIUM6.5

A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

Published: 2024-10-15Modified: 2026-03-19
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
GHSA-586p-749j-fhwp
MEDIUM5.3

Buildah allows arbitrary directory mount

Published: 2024-10-09Modified: 2025-04-11
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0MEDIUM 5.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
References
GHSA-fhqq-8f65-5xfc
MEDIUM5.9

Improper Input Validation in Buildah and Podman

Published: 2024-10-02Modified: 2024-12-20
CVSS 3.xMEDIUM 5.9
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
CVSS 4.0MEDIUM 5.9
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
References
GHSA-mc76-5925-c5p6
MEDIUM5.8

Link Following in github.com/containers/common

Published: 2024-10-02Modified: 2024-12-11
CVSS 3.xMEDIUM 5.8
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CVSS 4.0MEDIUM 5.8
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
References
GHSA-rpcc-p8xm-rc6p
HIGH8.7

Podman vulnerable to memory-based denial of service

Published: 2024-08-03Modified: 2024-12-27
CVSS 3.xHIGH 8.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
CVSS 4.0HIGH 8.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References