Dear Maintainer,

I am writing to report a security vulnerability in the podman package present in Debian Trixie. The current podman package (version 5.4.2+ds1-2) vendors and compiles Buildah (prior to v1.43.2, probably v1.39.4) directly into its binary to handle container builds. Upstream has recently disclosed CVE-2026-44517, a high-severity flaw affecting buildah. Because podman statically embeds the vulnerable Buildah (>= v1.38.1) Go modules, the podman package inherits this vulnerability despite the flaw fundamentally existing within the buildah codebase. Upstream has mitigated this issue in Buildah v1.43.2 (and v1.44), which has been integrated into Podman v5.8.3. Could you please look into backporting the upstream fix for CVE-2026-44517 into the Trixie package, or upgrading the podman package to a secure upstream release?

Thank you for your hard work maintaining these container tools in Debian.

Regards,
Magus

Dear Security Team,

I have prepared a fix for CVE-2026-44517 in
golang-github-containers-buildah affecting trixie (testing).

This is a symlink-based path traversal in Buildah's build context
handling (ADD/COPY instructions with malicious Git repos or tar
archives). The vulnerability allows an attacker controlling the build
context to write files outside the build directory via symlinks.

Affected versions:
- trixie (testing): 1.39.3+ds1-1
- unstable: 1.43.2+ds1-1

The fix backports upstream commit 54459cf8a which uses
securejoin.SecureJoin for Git subdirectory resolution and
os.OpenRoot for safe file writes in Dockerfile fallback paths.

The source-only upload targets trixie-security with version
1.39.3+ds1-1+deb13u1. A debdiff is attached. You can also see the MR on salsa
at
https://salsa.debian.org/go-team/packages/golang-github-containers-buildah/-/merge_requests/4/diffs
if that's easier for you to review and approve.

Please let me know if you need anything else. Feel free to either upload to
trixie-security yourself or ask me to do so.

Thanks,
-rt

We believe that the bug you reported is fixed in the latest version of
golang-github-containers-buildah, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140619@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated golang-github-containers-buildah package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 28 Jun 2026 03:24:47 -0400
Source: golang-github-containers-buildah
Architecture: source
Version: 1.43.2+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1140619
Changes:
 golang-github-containers-buildah (1.43.2+ds1-1) unstable; urgency=medium
 .
   * New upstream version
   * Fixes CVE-2026-44517, Closes: #1140619
Checksums-Sha1:
 f41ff2f72d363dd4534a5945e20664fa685c08ef 4513 golang-github-containers-buildah_1.43.2+ds1-1.dsc
 afc348d6d1d860dc805cdf53c3fd1dd52da869e8 1006036 golang-github-containers-buildah_1.43.2+ds1.orig.tar.xz
 52180fb434aee2945963f84ddd1826bd5c4da5a6 12812 golang-github-containers-buildah_1.43.2+ds1-1.debian.tar.xz
 f2f80be83abf32ddcd3209d1be50cfee3c7c8a1e 1964604 golang-github-containers-buildah_1.43.2+ds1-1.git.tar.xz
 e058c6e2203490f978039f5430b36324c1cd29b5 17616 golang-github-containers-buildah_1.43.2+ds1-1_source.buildinfo
Checksums-Sha256:
 473ce4263d7cdb8c7beaa1d1211422663ea7cdb1b90206529a94a5c9c0cb0c29 4513 golang-github-containers-buildah_1.43.2+ds1-1.dsc
 48f01025e0942fc536356b10c8e2171c8748efabb053abf1f2870a56b6562344 1006036 golang-github-containers-buildah_1.43.2+ds1.orig.tar.xz
 48acecb4138d3a1f38584df121b0cf79d6fe5cc08cf97840b5f807967b7c4b9c 12812 golang-github-containers-buildah_1.43.2+ds1-1.debian.tar.xz
 b0edcc074ae25b0101c3567fc3378f3a869ebd49151a15541ff10133975dd926 1964604 golang-github-containers-buildah_1.43.2+ds1-1.git.tar.xz
 62c1b6ac48af6e073ce8853f70bdded71374cc64149347ea3e21a41c6663c3ee 17616 golang-github-containers-buildah_1.43.2+ds1-1_source.buildinfo
Files:
 ca72bd48911673781cea15d0e2304ef1 4513 golang optional golang-github-containers-buildah_1.43.2+ds1-1.dsc
 8eebf4f55bc419c6ee4ad419de6c805b 1006036 golang optional golang-github-containers-buildah_1.43.2+ds1.orig.tar.xz
 7057ade41e1571e8e263adfcf6188eb8 12812 golang optional golang-github-containers-buildah_1.43.2+ds1-1.debian.tar.xz
 ebc3ac925d60408a6118f290af86e41f 1964604 golang None golang-github-containers-buildah_1.43.2+ds1-1.git.tar.xz
 a6c0eb23d9c7bebb46d1eda6571b3b19 17616 golang optional golang-github-containers-buildah_1.43.2+ds1-1_source.buildinfo
Git-Tag-Info: tag=812fef693ba6c904961ebc40b91480df03088b35 fp=30de7d1763ab9452c7e0825049a76977942826cb
Git-Tag-Tagger: Reinhard Tartler <siretart@tauware.de>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmpAzKkACgkQYG0ITkaD
wHlmkg/9EaAW/EVDI3GjxZMEtYF41ug2XHAx133RvV6Wcao/SXTgyyAi5OrUQ87+
3N+47vG0ebHyi87eIrGMKJRxjgPTxnTC24dhbrXhb4Rb5hSbM8sslIrYW4Xmfs9n
ZkpcGRLNjsxJVZ+Gii9yNDng+U0koOrGrkq30Bx8jbFvYuJkZo0iXGwoIuYCR0+r
V2LCiVqF1MWrVaCXP1UIS+qd4EECXCgOWjH0fjnrHH2SAImlyXimv8rLW4/6gDM6
DYIkBFBVjl067pcqQissUu84Y344cjQnP2kpJmYUhKTZtjhoyD3mrAcbr4VC12Gw
m4tnBuYHclH+WEAC8mcFeBx52rk18puGr1ovdsyn5VdMY91UbQlzo9zB0OoL80fh
MMO0sTEquD7FO/ECaAz4f0t5YK6M1xZX4DmNB8RYFawl2s0F+wCSVLXQLs0RY3hn
7+xHUOInDOK6bFmsmLMt5yDVVxaLBBn+kJi34BJrQ95NNzo1hTXN0D4aCLCX3JiY
ND21MqAq33LWrjCkyZX8qS+ZzOLjLPluilRlWo2gKUUsyqfwD2/fHjJWvoSwggix
JLtwBsCaNYHcEsO7xJnJkEwjunM44FeOZKFC7IlFZOubMikl0ys+K5VYsUBj82ap
/a41m/c2RcJqOzQ1HVCjq9ZCjAo1197H7KLrWQgow8695wECLzo=
=Kz+N
-----END PGP SIGNATURE-----

Hi Reinhard,

Given this will require as well a rebuild of podman (at least, right?)
I would suggest you make a point release update which is now anyway
right around the corner:
https://release.debian.org/#point-releases

Can you fix thus buildah fist fo the point releases and ask for the
required packages to be rebuild which need it?

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
podman, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140619@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated podman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 29 Jun 2026 02:31:35 -0400
Source: podman
Architecture: source
Version: 5.8.3+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1140115 1140619
Changes:
 podman (5.8.3+ds1-1) unstable; urgency=medium
 .
   * build against buildah 1.42.3, Closes: #1140619
   * This release addresses CVE-2026-44517, GHSA-49p4-px3h-rq49.
   * Fix build failure with opencontainers-cgroups < 0.0.6
   * Bump Standards Version, dropped Priorty: optional field
   * normalize with wrap-and-sort
   * build against containerd/platforms 1.0, Closes: #1140115
Checksums-Sha1:
 66ec1cec03efccaa41aac8520559da65d5328310 5097 podman_5.8.3+ds1-1.dsc
 b9fd25456c204235c1441e2b5cb5a2f2b16991ed 3003708 podman_5.8.3+ds1.orig.tar.xz
 26a136dd19afd9ace44696d4fd83851f2ab4603a 27248 podman_5.8.3+ds1-1.debian.tar.xz
 5986a83db0abe3afd870db77d8cef67c19228d70 22174008 podman_5.8.3+ds1-1.git.tar.xz
 80f6056f41791d0687d74b62a52547c5f6c5e2af 17508 podman_5.8.3+ds1-1_source.buildinfo
Checksums-Sha256:
 27a878cb7c17c62b2eeb7b2ecefac59a0718ad150f5b032eb43de7cbeeea0de1 5097 podman_5.8.3+ds1-1.dsc
 0f1c745721262bb6ed8f6a1387d4110d8c4eaae3ced236d6ed7b3b063719e52d 3003708 podman_5.8.3+ds1.orig.tar.xz
 5848f0e52c274ac18fb3d0970fb69612cd644f03912e28418edc799870b294a0 27248 podman_5.8.3+ds1-1.debian.tar.xz
 c2f88a51b9f581c9306ab5073adb670abe1b04abcf5dbac12b58fb8e2886bed4 22174008 podman_5.8.3+ds1-1.git.tar.xz
 a0b23f2f2b1841dc526836d28b78d7dbc9685cc484a7b7e1d30f5b8dd461c518 17508 podman_5.8.3+ds1-1_source.buildinfo
Files:
 9297d118e3e2083b36952be1977a9bac 5097 admin optional podman_5.8.3+ds1-1.dsc
 b1f7176e8f2e8504a14da96c3662a7de 3003708 admin optional podman_5.8.3+ds1.orig.tar.xz
 5fcfc5ee2167b67f31a9d59d2fc29e39 27248 admin optional podman_5.8.3+ds1-1.debian.tar.xz
 a3925a3b06c1b5f97412089010561c68 22174008 admin None podman_5.8.3+ds1-1.git.tar.xz
 7f21426fcf149117d4d13f56fc5b67f4 17508 admin optional podman_5.8.3+ds1-1_source.buildinfo
Git-Tag-Info: tag=7cc9f9d6289b8e21da931c2619c9be30f1d8f55a fp=30de7d1763ab9452c7e0825049a76977942826cb
Git-Tag-Tagger: Reinhard Tartler <siretart@tauware.de>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmpCEfoACgkQYG0ITkaD
wHnE8RAAjPEuDiUqSgo63Kh5Vpnx/EKGhveXYq+vkYvHPfodGM8KWwfQtsrPTcRX
1XOgNKSr0IKB8nSHJp5J/QOVRP2hltBdPmBG9QepHz8FusS9P8B/Z1jiK62c8+by
20djzc850LQ098bJ1djA01xDEWOKamtZIEztgbC+dvdbAJvkj+BcJIJcbddFBrZC
RrVKdTos+IvYCn9ZqpoyJCnIbCv83e9SFXiOM9s4zi888YhjI0H/TwzYLJwyoAdh
Fbfcv215sprmchgKrs16RMB7tUh8wZGV0pLELX5VViZjJTp21zgXxgQVPnHBlup5
SfsTUpfdccH9aQQeuCxvjxjTEpM/bYK3tYDIStzG1yNuGarDHVNR2KhQFOYsuoX9
PWylka7BukhI+sCGp3O6J2eWLAmUI8gFPxCJe2fkYGyzBVeFRb0M8gLmp5jWMGBF
KilycDkdT+VE7Iwzi0+PFw/LroLWsiZwSTOVineDuo4rfW1X3kVjEfhDBl+2n2lu
KfuRJ8RO/sg0GRqVGqI/Pqz2osdWxCF9K7MVbjelr/waaDemQFtNPXmCfrH8x68m
ryGwnPPJwaxIyZX0K3BcWYPXi87/iX4S9XlfDSkYQVI2otbtzY59KxMnN8EELioG
3UYInihaUmI1fXb7js/iIZsXjqJXAoFA8UjNnOzOVFyJgMBuCms=
=tpF3
-----END PGP SIGNATURE-----