CVE-2025-4953 - Podman Creates Temporary File with Insecure Permissions (v5.8.0)

[mwileman2]

Hi all,

Regarding CVE-2025-4953

govulncheck is reporting following for github.com/containers/podman/v5@v5.8.0

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

Vulnerability #1: GO-2025-3961
    Podman Creates Temporary File with Insecure Permissions in
    github.com/containers/podman
  More info: https://pkg.go.dev/vuln/GO-2025-3961
  Module: github.com/containers/podman/v5
    Found in: github.com/containers/podman/v5@v5.8.0
    Fixed in: N/A

Vulnerability #2: GO-2024-3042
    Podman vulnerable to memory-based denial of service in
    github.com/containers/podman
  More info: https://pkg.go.dev/vuln/GO-2024-3042
  Module: github.com/containers/podman/v5
    Found in: github.com/containers/podman/v5@v5.8.0
    Fixed in: N/A

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.

Is this something that will be fixed within the podman library sources?

[markpaladino]

It looks like PR 28125 addressed CVE-2025-4953 and was merged into the containers/podman:v4.2.0-rhel branch. Perhaps the change never made it into the v5 releases?

[Luap99]

Everything is generally patched in main first, the linked PR is a buildah update as the problem is in buildah code so I assume a normal update on main consumed this fix just fine.
I would assume the CVE metadata is wrong for this one. IIRC this problem was fixed already as part of CVE-2024-11218
cc @nalind @TomSweeneyRedHat

[Luap99]

CVE-2024-3056 (GO-2024-3042) is not something that can be addressed in the podman code AFAICT as this is just the way the kernel accounting works. cc @mheon