os: Root permits access to parent directory (fix CVE-2025-22873)

[neild]

os: Root permits access to parent directory

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.

Root now correctly returns an error in this case.

This is CVE-2025-22873 and Go issue https://go.dev/issue/73555.

Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this issue.

---

This is a PRIVATE issue for CVE-2025-22873, tracked in http://b/408209442.

/cc @golang/security and @golang/release

[neild]

@gopherbot please backport to go1.24

[gopherbot]

Backport issue(s) opened: #73556 (for 1.24).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[stefanb]

Please check if this needs a backport also to 1.23, to be released in 1.23.9 (milestone), as expected from the announcement.

[gopherbot]

Change https://go.dev/cl/670357 mentions this issue: [release-branch.go1.24] os: avoid escape from Root via paths ending in ../

[gopherbot]

Change https://go.dev/cl/670036 mentions this issue: os: avoid escape from Root via paths ending in ../