Gogs 自托管 Git 服务中 CVE-2025-8110 漏洞及 TOCTOU 竞态条件分析

Gogs 自托管 Git 服务中 CVE-2025-8110 漏洞及 TOCTOU 竞态条件分析
嗯，用户让我帮忙总结一下这篇文章的内容，控制在100字以内，而且不需要特定的开头。首先，我需要理解文章的主要内容。看起来这是一封邮件列表里的讨论，关于Gogs的一个漏洞CVE-2025-8110。Collin Funk提到修复可能引入了TOCTOU竞态条件，攻击者可以删除部分路径并创建符号链接，导致漏洞重现。Michael Orlitzky回应说Go语言有O_NOFOLLOW选项，但单独使用可能不够，需要逐个组件处理路径。所以，总结的时候要涵盖漏洞、修复问题、O_NOFOLLOW的不足以及建议的处理方法。控制在100字以内的话，需要简洁明了。先确定关键点：Gogs漏洞修复、TOCTOU风险、O_NOFOLLOW不足、逐个组件处理路径。把这些点连贯地表达出来。可能会写成：“讨论Gogs漏洞修复引入TOCTOU风险，攻击者可利用符号链接绕过修复。建议使用O_NOFOLLOW，并逐个组件处理路径以避免其他组件中的符号链接问题。” 这样既涵盖了主要问题和建议的解决方案，又符合字数限制。 </think> 讨论Gogs漏洞修复引入TOCTOU风险，攻击者可利用符号链接绕过修复。建议使用O_NOFOLLOW，并逐个组件处理路径以避免其他组件中的符号链接问题。 2026-1-18 01:58:0 Author: seclists.org(查看原文) 阅读量:1 收藏

oss-sec mailing list archives

From: Michael Orlitzky <michael () orlitzky com>
Date: Sat, 17 Jan 2026 20:55:50 -0500

On 2026-01-17 15:02:42, Collin Funk wrote:


This just introduces TOCTOU races, no?

If someone can delete a portion of "opts.NewTreeName" and recreate an
element as a symbolic link before "os.MkdirAll" is executed, they would
be able to achieve the same thing as before the patch.

Surely Go has a way to use O_NOFOLLOW, right? That would be the correct
way to do it.


I have not looked at the actual issue here, but in general even
O_NOFOLLOW is insufficient, because it only affects the trailing path
component. To avoid symlinks in other components, you must carefully
openat() each path component, one at a time, starting from the root.

Current thread:

Re: CVE-2025-8110 in Gogs self-hosted git service Chad Dougherty (Jan 17)
- Re: CVE-2025-8110 in Gogs self-hosted git service Collin Funk (Jan 17)
  - Re: CVE-2025-8110 in Gogs self-hosted git service Michael Orlitzky (Jan 17)

文章来源: https://seclists.org/oss-sec/2026/q1/87
如有侵权请联系:admin#unsafe.sh