Update to go1.24.5 #6167

vvoland · 2025-07-08T17:24:43Z

This minor releases include 1 security fixes following the security policy:

cmd/go: unexpected command execution in untrusted VCS repositories

Various uses of the Go toolchain in untrusted VCS repositories can result in
unexpected code execution. When using the Go toolchain in directories fetched
using various VCS tools (such as directly cloning Git or Mercurial repositories)
can cause the toolchain to execute unexpected commands, if said directory
contains multiple VCS configuration metadata (such as a '.hg' directory in a Git
repository). This is due to how the Go toolchain attempts to resolve which VCS
is being used in order to embed build information in binaries and determine
module versions.

The toolchain will now abort attempting to resolve which VCS is being used if it
detects multiple VCS configuration metadata in a module directory or nested VCS
configuration metadata (such as a '.git' directoy in a parent directory and a
'.hg' directory in a child directory). This will not prevent the toolchain from
building modules, but will result in binaries omitting VCS related build
information.

If this behavior is expected by the user, the old behavior can be re-enabled by
setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted
repositories.

Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting
this issue.

This is CVE-2025-4674 and https://go.dev/issue/74380.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.5

Update Go runtime to 1.24.5

Signed-off-by: Paweł Gronowski pawel.gronowski@docker.com

- https://github.com/golang/go/issues?q=milestone%3AGo1.24.5+label%3ACherryPickApproved - full diff: golang/go@go1.24.4...go1.24.5 This minor releases include 1 security fixes following the security policy: - cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories can result in unexpected code execution. When using the Go toolchain in directories fetched using various VCS tools (such as directly cloning Git or Mercurial repositories) can cause the toolchain to execute unexpected commands, if said directory contains multiple VCS configuration metadata (such as a '.hg' directory in a Git repository). This is due to how the Go toolchain attempts to resolve which VCS is being used in order to embed build information in binaries and determine module versions. The toolchain will now abort attempting to resolve which VCS is being used if it detects multiple VCS configuration metadata in a module directory or nested VCS configuration metadata (such as a '.git' directoy in a parent directory and a '.hg' directory in a child directory). This will not prevent the toolchain from building modules, but will result in binaries omitting VCS related build information. If this behavior is expected by the user, the old behavior can be re-enabled by setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted repositories. Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting this issue. This is CVE-2025-4674 and https://go.dev/issue/74380. View the release notes for more information: https://go.dev/doc/devel/release#go1.24.5 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

codecov-commenter · 2025-07-08T17:26:28Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 54.78%. Comparing base (3302212) to head (9bcc886).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #6167   +/-   ##
=======================================
  Coverage   54.78%   54.78%           
=======================================
  Files         365      365           
  Lines       30491    30491           
=======================================
  Hits        16706    16706           
  Misses      12809    12809           
  Partials      976      976

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

thaJeztah

LGTM

vvoland · 2025-07-08T23:21:14Z

Flaky test:

#18 63.29 === Failed
#18 63.29 === FAIL: cli/command/container TestIgnoredSignals (unknown)
#18 63.29 panic: Fail in goroutine after TestRunPullTermination has completed
#18 63.29 
#18 63.29 goroutine 322 [running]:
#18 63.29 testing.(*common).Fail(0xc0004ec700)
#18 63.29 	/usr/local/go/src/testing/testing.go:988 +0xcb
#18 63.29 testing.(*common).FailNow(0xc0004ec700)
#18 63.29 	/usr/local/go/src/testing/testing.go:1017 +0x26
#18 63.29 github.com/docker/cli/vendor/gotest.tools/v3/assert.NilError({0x11fe618, 0xc0004ec700}, {0x11f4460, 0x19ba0c0}, {0x0, 0x0, 0x0})
#18 63.29 	/go/src/github.com/docker/cli/vendor/gotest.tools/v3/assert/assert.go:177 +0xee
#18 63.29 github.com/docker/cli/cli/command/container.TestRunPullTermination.func3.2()
#18 63.29 	/go/src/github.com/docker/cli/cli/command/container/run_test.go:252 +0x1a5
#18 63.29 created by github.com/docker/cli/cli/command/container.TestRunPullTermination.func3 in goroutine 16
#18 63.29 	/go/src/github.com/docker/cli/cli/command/container/run_test.go:244 +0x10c
#18 63.29 --- PASS: TestIgnoredSignals/SIGPIPE (0.00s)
#18 63.29 
#18 63.29 DONE 2255 tests, 4 skipped, 1 failure in 62.964s
#18 ERROR: process "/bin/sh -c gotestsum -- -coverprofile=/tmp/coverage.txt $(go list ./... | grep -vE '/vendor/|/e2e/')" did not complete successfully: exit code: 1
------
 > [test 2/2] RUN --mount=type=bind,target=.,rw     --mount=type=cache,target=/root/.cache     --mount=type=cache,target=/go/pkg/mod     gotestsum -- -coverprofile=/tmp/coverage.txt $(go list ./... | grep -vE '/vendor/|/e2e/'):
63.29 	/usr/local/go/src/testing/testing.go:1017 +0x26
63.29 github.com/docker/cli/vendor/gotest.tools/v3/assert.NilError({0x11fe618, 0xc0004ec700}, {0x11f4460, 0x19ba0c0}, {0x0, 0x0, 0x0})
63.29 	/go/src/github.com/docker/cli/vendor/gotest.tools/v3/assert/assert.go:177 +0xee
63.29 github.com/docker/cli/cli/command/container.TestRunPullTermination.func3.2()
63.29 	/go/src/github.com/docker/cli/cli/command/container/run_test.go:252 +0x1a5
63.29 created by github.com/docker/cli/cli/command/container.TestRunPullTermination.func3 in goroutine 16
63.29 	/go/src/github.com/docker/cli/cli/command/container/run_test.go:244 +0x10c
63.29 --- PASS: TestIgnoredSignals/SIGPIPE (0.00s)
63.29 
63.29 DONE 2255 tests, 4 skipped, 1 failure in 62.964s

vvoland added this to the 28.3.2 milestone Jul 8, 2025

vvoland self-assigned this Jul 8, 2025

vvoland added impact/changelog impact/deprecation labels Jul 8, 2025

vvoland changed the title ~~update to go1.24.5~~ Update to go1.24.5 Jul 8, 2025

vvoland added area/dependencies and removed impact/deprecation labels Jul 8, 2025

thaJeztah closed this Jul 8, 2025

thaJeztah reopened this Jul 8, 2025

thaJeztah approved these changes Jul 8, 2025

View reviewed changes

vvoland merged commit 30cad38 into docker:master Jul 8, 2025
111 of 193 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update to go1.24.5 #6167

Update to go1.24.5 #6167

Uh oh!

vvoland commented Jul 8, 2025

Uh oh!

codecov-commenter commented Jul 8, 2025 •

edited

Loading

Uh oh!

thaJeztah left a comment

Uh oh!

vvoland commented Jul 8, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Update to go1.24.5 #6167

Update to go1.24.5 #6167

Uh oh!

Conversation

vvoland commented Jul 8, 2025

Uh oh!

codecov-commenter commented Jul 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

vvoland commented Jul 8, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

codecov-commenter commented Jul 8, 2025 •

edited

Loading