cmd/go: go tool pack does not sanitize output paths

[neild]

The "go tool pack" subcommand is a minimal version of the Unix ar utility.
It is used by the compiler as an internal tool with known-good inputs.

The "pack" subcommand did not sanitize output filenames.
When invoked to extract a malicious archive file, it could write
files to arbitrary locations on the filesystem.

The "pack" subcommand now refuses to extract files with names
containing any directory components.

Thanks to Harshit Gupta (Mr HAX) for reporting this issue.

This is CVE-2026-39817 and Go issue https://go.dev/issue/78778.

---

This was a PUBLIC track issue, tracked in http://b/499265616.

[gopherbot]

Change https://go.dev/cl/767520 mentions this issue: cmd/pack: refuse to extract files with directory components

[gabyhelp]

Related Issues

• cmd/go: go bug uses predictable temporary filenames #78584 (closed)
• cmd/go: directory traversal in "go get" via curly braces in import paths #29231 (closed)
• x/exp/cmd/txtar: expansion of environment variables and writing outside of the current directory seems risky #46741

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[neild]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #78790 (for 1.25), #78791 (for 1.26).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/767660 mentions this issue: [release-branch.go1.25] cmd/pack: refuse to extract files with directory components

[gopherbot]

Change https://go.dev/cl/767661 mentions this issue: [release-branch.go1.26] cmd/pack: refuse to extract files with directory components