Carlos Amedee (Gerrit)

unread,

Jul 8, 2025, 12:29:16 PM7/8/25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, David Chase, golang-co...@googlegroups.com

Carlos Amedee submitted the change

Change information

Commit message:

[release-branch.go1.23] cmd/go: disable support for multiple vcs in one module

Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
which was always enabled, and disallow multiple VCS metadata folders
being present in a single directory. This makes VCS injection attacks
much more difficult.

Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.

Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for
reporting this issue.

Updates #74380
Fixes #74382
Fixes CVE-2025-4674

Change-Id: I2db79f2baacfacfec331ee7c6978c4057d483eba

Reviewed-on: https://go-review.googlesource.com/c/go/+/686337

LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>

Reviewed-by: David Chase <drc...@google.com>

Reviewed-by: Carlos Amedee <car...@golang.org>

Commit-Queue: Carlos Amedee <car...@golang.org>

Files:

M doc/godebug.md
M src/cmd/go/internal/load/pkg.go
M src/cmd/go/internal/vcs/vcs.go
M src/cmd/go/internal/vcs/vcs_test.go
A src/cmd/go/testdata/script/test_multivcs.txt
M src/cmd/go/testdata/script/version_buildvcs_nested.txt
M src/internal/godebugs/godebugs_test.go
M src/internal/godebugs/table.go
M src/runtime/metrics/doc.go

Change size: M

Delta: 9 files changed, 108 insertions(+), 23 deletions(-)

Branch: refs/heads/release-branch.go1.23

Submit Requirements:

Code-Review: +2 by David Chase, +2 by Carlos Amedee
TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Carlos Amedee (Gerrit)

unread,

Jul 8, 2025, 12:29:34 PM7/8/25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, David Chase, golang-co...@googlegroups.com

Carlos Amedee submitted the change

Change information

Commit message:

[release-branch.go1.24] cmd/go: disable support for multiple vcs in one module



Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
which was always enabled, and disallow multiple VCS metadata folders
being present in a single directory. This makes VCS injection attacks
much more difficult.

Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.

Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for
reporting this issue.

Updates #74380

Fixes #74381
Fixes CVE-2025-4674

Change-Id: I6c7925b034d60b80d7698cca677b00bdcc67f24e

Reviewed-on: https://go-review.googlesource.com/c/go/+/686395

Reviewed-by: David Chase <drc...@google.com>

LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>

Reviewed-by: Carlos Amedee <car...@golang.org>

Commit-Queue: Carlos Amedee <car...@golang.org>

Files:

M doc/godebug.md
M src/cmd/go/internal/load/pkg.go
M src/cmd/go/internal/modfetch/repo.go

M src/cmd/go/internal/vcs/vcs.go
M src/cmd/go/internal/vcs/vcs_test.go
A src/cmd/go/testdata/script/test_multivcs.txt
M src/cmd/go/testdata/script/version_buildvcs_nested.txt
M src/internal/godebugs/godebugs_test.go
M src/internal/godebugs/table.go
M src/runtime/metrics/doc.go

Change size: M

Delta: 10 files changed, 109 insertions(+), 24 deletions(-)

Branch: refs/heads/release-branch.go1.24

Submit Requirements:

Code-Review: +2 by Carlos Amedee, +2 by David Chase

TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Carlos Amedee (Gerrit)

unread,

Jul 8, 2025, 12:29:39 PM7/8/25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, David Chase, golang-co...@googlegroups.com

Carlos Amedee submitted the change

Change information

Commit message:

[release-branch.go1.25] cmd/go: disable support for multiple vcs in one module



Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
which was always enabled, and disallow multiple VCS metadata folders
being present in a single directory. This makes VCS injection attacks
much more difficult.

Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.

Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for
reporting this issue.

Fixes #74380
Fixes CVE-2025-4674

Change-Id: I95b619588ecb6661770aa4e1d6023d6cb22e2263

Reviewed-on: https://go-review.googlesource.com/c/go/+/686338

Reviewed-by: David Chase <drc...@google.com>

Auto-Submit: Carlos Amedee <car...@golang.org>

TryBot-Bypass: Carlos Amedee <car...@golang.org>

Files:

M doc/godebug.md
M src/cmd/go/internal/load/pkg.go
M src/cmd/go/internal/modfetch/repo.go
M src/cmd/go/internal/vcs/vcs.go
M src/cmd/go/internal/vcs/vcs_test.go
A src/cmd/go/testdata/script/test_multivcs.txt
M src/cmd/go/testdata/script/version_buildvcs_nested.txt

M src/internal/godebugs/table.go
M src/runtime/metrics/doc.go

Change size: M

Delta: 9 files changed, 108 insertions(+), 23 deletions(-)

Branch: refs/heads/release-branch.go1.25

Submit Requirements:

Code-Review: +2 by David Chase
TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI, TryBot-Bypass+1 by Carlos Amedee

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Carlos Amedee (Gerrit)

unread,

Jul 8, 2025, 2:30:45 PM7/8/25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, Dmitri Shuralyov, David Chase, golang-co...@googlegroups.com

Carlos Amedee submitted the change

Change information

Commit message:

cmd/go: disable support for multiple vcs in one module



Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
which was always enabled, and disallow multiple VCS metadata folders
being present in a single directory. This makes VCS injection attacks
much more difficult.

Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.

Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting this issue.

Fixes #74380
Fixes CVE-2025-4674

Change-Id: I5787d90cdca8deb3aca6f154efb627df1e7d2789

Reviewed-on: https://go-review.googlesource.com/c/go/+/686515

LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>

Reviewed-by: David Chase <drc...@google.com>

Commit-Queue: Carlos Amedee <car...@golang.org>

Reviewed-by: Carlos Amedee <car...@golang.org>

Files:

M doc/godebug.md
M src/cmd/go/internal/load/pkg.go
M src/cmd/go/internal/modfetch/repo.go
M src/cmd/go/internal/vcs/vcs.go
M src/cmd/go/internal/vcs/vcs_test.go
A src/cmd/go/testdata/script/test_multivcs.txt
M src/cmd/go/testdata/script/version_buildvcs_nested.txt
M src/internal/godebugs/table.go
M src/runtime/metrics/doc.go

Change size: M

Delta: 9 files changed, 108 insertions(+), 23 deletions(-)

Branch: refs/heads/master

Submit Requirements:

Code-Review: +2 by David Chase, +2 by Carlos Amedee

TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

[go/release-branch.go1.23] [release-branch.go1.23] cmd/go: disable support for multiple vcs in one module

Carlos Amedee (Gerrit)

Carlos Amedee submitted the change

Change information

Carlos Amedee (Gerrit)

Carlos Amedee submitted the change

Change information

Carlos Amedee (Gerrit)

Carlos Amedee submitted the change

Change information

Carlos Amedee (Gerrit)

Carlos Amedee submitted the change

Change information