Skip to content

os: Root permits access to parent directory (fix CVE-2025-22873) #73555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
neild opened this issue Apr 30, 2025 · 5 comments
Closed

os: Root permits access to parent directory (fix CVE-2025-22873) #73555

neild opened this issue Apr 30, 2025 · 5 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
Go1.25

Comments

@neild
Copy link
Contributor

neild commented Apr 30, 2025
edited by cherrymui
Loading

os: Root permits access to parent directory

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Root now correctly returns an error in this case.

This is CVE-2025-22873 and Go issue https://go.dev/issue/73555.

Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this issue.

This is a PRIVATE issue for CVE-2025-22873, tracked in http://b/408209442.

/cc @golang/security and @golang/release
@neild neild added this to the Go1.25 milestone Apr 30, 2025
@neild
Copy link
Contributor Author

neild commented Apr 30, 2025

@gopherbot please backport to go1.24

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #73556 (for 1.24).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot gopherbot mentioned this issue Apr 30, 2025
Closed
@gabyhelp gabyhelp added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Apr 30, 2025
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label May 1, 2025
@stefanb
Copy link
Contributor

stefanb commented May 4, 2025

Please check if this needs a backport also to 1.23, to be released in 1.23.9 (milestone), as expected from the announcement.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/670357 mentions this issue: [release-branch.go1.24] os: avoid escape from Root via paths ending in ../

@cherrymui cherrymui changed the title security: fix CVE-2025-22873 os: Root permits access to parent directory (fix CVE-2025-22873) May 6, 2025
gopherbot pushed a commit that referenced this issue May 6, 2025
@neild @cherrymui
[release-branch.go1.24] os: avoid escape from Root via paths ending i…
8947f33 
…n ../

The doInRoot function operates on a path split into components.
The final path component retained any trailing path separator
characters, to permit operations in a Root to retain the
trailing-separator behavior of non-Root operations. However,
doInRoot failed to take trailing separators into account
when checking for .. path components.

This could permit opening the parent directory of the Root
with a path ending in "../".

Change the split path to never include path separators in
components, and handle trailing separators independently
of the split path.

Thanks to Dan Sebastian Thrane of SDU eScience Center for
reporting this issue.

Fixes #73556
Updates #73555
Fixes CVE-2025-22873

Change-Id: I9a33a145c22f5eb1dd4e4cafae5fcc61a8d4f0d4
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2160
Reviewed-by: Neal Patel <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2180
Commit-Queue: Damien Neil <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/670357
Reviewed-by: Carlos Amedee <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/670036 mentions this issue: os: avoid escape from Root via paths ending in ../

@stefanb stefanb mentioned this issue May 6, 2025
Merged
6 tasks
@cherrymui cherrymui marked this as a duplicate of #73160 May 7, 2025
@cherrymui cherrymui mentioned this issue May 7, 2025
Closed
@neild neild mentioned this issue May 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
Go1.25
Development

No branches or pull requests
5 participants
@neild @stefanb @dmitshur @gopherbot @gabyhelp