Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260115212705.TKR365wo@steffen%sdaoden.eu>
Date: Thu, 15 Jan 2026 22:27:05 +0100
From: Steffen Nurpmeso <steffen@...oden.eu>
To: oss-security@...ts.openwall.com
Subject: Re: Go 1.25.6 and Go 1.24.12 are released
 with 6 CVE fixes

Alan Coopersmith wrote in
 <01e3014e-85d8-484c-b755-bd8eb6ddd10d@...cle.com>:
 |https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc announces:
 |> Hello gophers,
 |> 
 |> We have just released Go versions 1.25.6 and 1.24.12, minor point \
 |> releases.
 |> 
 |> These releases include 6 security fixes following the security policy:
 |> 
 |>   - archive/zip: denial of service when parsing arbitrary ZIP archives
 |> 
 |>     archive/zip used a super-linear file name indexing algorithm \
 |>     that is invoked
 |>     the first time a file in an archive is opened. This can lead \
 |>     to a denial of
 |>     service when consuming a maliciously constructed ZIP archive.
 |> 
 |>     Thanks to Thanks to Jakub Ciolek for reporting this issue.
 |> 
 |>     This is CVE-2025-61728 and Go issue https://go.dev/issue/77102.

Go is thrilling you know, those personalities involved in the past
and present (also including Plan9 history, and all that) ...

It is a little bit off-topic, but it reminds me of kinds of
"detoriation", as well as "spreaded complication" i have
introduced myself when fixing bugs of all sort.  So looking at the
link bug report, i see

  for dir := path.Dir(name); dir != "."; dir = path.Dir(dir) {

being replaced with an unrolled

  if idx := strings.LastIndex(dir, "/"); idx < 0 {
    ...

But Go supports "modification in place", and doesn't the above
imply that the Go standard library interface is missing important
functionality to avoid such security glitches in any code that
makes use of path.?  Ie, path.Dir() is

  Dir returns all but the last element of path, typically the
  path's directory. After dropping the final element using Split,
  the path is Cleaned and trailing slashes are removed. If the
  path is empty, Dir returns ".". If the path consists entirely of
  slashes followed by non-slash bytes, Dir returns a single
  slash. In any other case, the returned path does not end in
  a slash.

and path.Split() is

  Split splits path immediately following the final slash,
  separating it into a directory and file name component. If there
  is no slash in path, Split returns an empty dir and file set to
  path. The returned values have the property that path
  = dir+file.

And i note that the committed bugfix not only avoids all the
canonicalization cleanup of Dir(), but also the creation of new
(temporary) result strings.  In order to do that creates (yet
another?) place that fiddles with indices.

Just a (well-known, granted) thought in all the overdriven
"memory-safe" noise.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.