Skip to content

os: Root permits access to parent directory (fix CVE-2025-22873) [1.24 backport] #73556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Apr 30, 2025 · 2 comments
Closed

os: Root permits access to parent directory (fix CVE-2025-22873) [1.24 backport] #73556

gopherbot opened this issue Apr 30, 2025 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Milestone
Go1.24.3

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #73555 to be considered for backport to the next 1.24 minor release.

@gopherbot please backport to go1.24
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Apr 30, 2025
@gopherbot gopherbot mentioned this issue Apr 30, 2025
Closed
@gopherbot gopherbot added this to the Go1.24.3 milestone Apr 30, 2025
@neild neild added CherryPickApproved Used during the release process for point releases release-blocker and removed CherryPickCandidate Used during the release process for point releases labels Apr 30, 2025
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/670357 mentions this issue: [release-branch.go1.24] os: avoid escape from Root via paths ending in ../

@cherrymui cherrymui changed the title security: fix CVE-2025-22873 [1.24 backport] os: Root permits access to parent directory (fix CVE-2025-22873) [1.24 backport] May 6, 2025
gopherbot pushed a commit that referenced this issue May 6, 2025
@neild @cherrymui
[release-branch.go1.24] os: avoid escape from Root via paths ending i…
8947f33 
…n ../

The doInRoot function operates on a path split into components.
The final path component retained any trailing path separator
characters, to permit operations in a Root to retain the
trailing-separator behavior of non-Root operations. However,
doInRoot failed to take trailing separators into account
when checking for .. path components.

This could permit opening the parent directory of the Root
with a path ending in "../".

Change the split path to never include path separators in
components, and handle trailing separators independently
of the split path.

Thanks to Dan Sebastian Thrane of SDU eScience Center for
reporting this issue.

Fixes #73556
Updates #73555
Fixes CVE-2025-22873

Change-Id: I9a33a145c22f5eb1dd4e4cafae5fcc61a8d4f0d4
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2160
Reviewed-by: Neal Patel <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2180
Commit-Queue: Damien Neil <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/670357
Reviewed-by: Carlos Amedee <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
@gopherbot
Copy link
Contributor Author

Closed by merging CL 670357 (commit 8947f33) to release-branch.go1.24.

@stefanb stefanb mentioned this issue May 6, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Projects
None yet
Milestone
Go1.24.3
Development

No branches or pull requests
2 participants
@neild @gopherbot