955613 – (CVE-2025-22873) <dev-lang/go-1.24.3: os: Root permits access to parent directory

Bug 955613 (CVE-2025-22873) - <dev-lang/go-1.24.3: os: Root permits access to parent directory

Summary: <dev-lang/go-1.24.3: os: Root permits access to parent directory

Status:	UNCONFIRMED

Alias:	CVE-2025-22873

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa? cleanup]
Keywords:	PullRequest

Depends on:	956323
Blocks:
	Show dependency tree

Reported:	2025-05-08 07:55 UTC by Leo Douglas
Modified:	2025-05-27 06:16 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/42085
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Leo Douglas 2025-05-08 07:55:38 UTC

go1.24.3 (released 2025-05-06) includes security fixes to the os package, as well as bug fixes to the runtime, the compiler, the linker, the go command, and the crypto/tls and os packages. See the [Go 1.24.3](https://github.com/golang/go/issues?q=milestone%3AGo1.24.3+label%3ACherryPickApproved) milestone on our issue tracker for details.

Comment 1 Sam James archtester

2025-05-08 07:59:58 UTC

You should file these as security bugs.

Comment 2 Leo Douglas 2025-05-08 08:01:22 UTC

(In reply to Sam James from comment #1)
> You should file these as security bugs.

thanks, sam.

Comment 3 Hans de Graaff gentoo-dev

2025-05-14 16:35:23 UTC

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.