Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: golang/glog
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.2.3
Choose a base ref
...
head repository: golang/glog
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.2.5
Choose a head ref
  • 4 commits
  • 3 files changed
  • 1 contributor

Commits on Jan 13, 2025

  1. glog: Don't try to create/rotate a given syncBuffer twice in the same… 

    … second

If you do, then you truncate the existing file. So logging too much too quickly would lose log data.

cl/709080575 (google-internal)
    @chressie @stapelberg
    chressie authored and stapelberg committed Jan 13, 2025
    Configuration menu
    Copy the full SHA
    dd58629 View commit details
    Browse the repository at this point in the history

  2. glog: introduce createInDir function as in internal version

    @chressie @stapelberg
    chressie authored and stapelberg committed Jan 13, 2025
    Configuration menu
    Copy the full SHA
    7139da2 View commit details
    Browse the repository at this point in the history

  3. glog: have createInDir fail if the file already exists 

    This prevents an attack like the one described
[here](https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File#:~:text=On%20Unix%20based,with%20elevated%20permissions.).
An unprivileged attacker could use symlinks to trick a privileged
logging process to follow a symlink from the log dir and write logs over
an arbitrary file.

The components of the log names are program, host, username, tag, date,
time and PID. These are all predictable. It's not at all unusual for the
logdir to be writable by unprivileged users, and one of the fallback
directories (/tmp) traditionally has broad write privs with the sticky
bit set on Unix systems.

As a concrete example, let's say I've got a glog-enabled binary running
as a root cronjob. I can gauge when that cron job will run and then use
a bash script to spray the log dir with glog-looking symlinks to
`/etc/shadow` with predicted times and PIDs. When the cronjob runs, the
`os.Create` call will follow the symlink, truncate `/etc/shadow` and
then fill it with logs.

This change defeats that by setting `O_EXCL`, which will cause the open
call to fail if the file already exists.

Fixes CVE-2024-45339

cl/712795111 (google-internal)
    @chressie @stapelberg
    chressie authored and stapelberg committed Jan 13, 2025
    Configuration menu
    Copy the full SHA
    a0e3c40 View commit details
    Browse the repository at this point in the history

Commits on Apr 29, 2025

  1. glog: generate a Fatalf-like error message when writing to logsinks f… 

    …ails (#76)

Writing to logsinks can fail (for example due to "no space left on device" or I/O errors). When that happens glog has no reasonable way to continue and causes the program to exit with exit status 2.

Previously glog reused the metadata of the current call to print an error message, but that was problematic. Depending on the current call's log severity it's possible that the program just exited without printing anything. That's confusing and hard to debug.

To fix that, glog creates now a new FATAL-level metadata object and prints a clearer error message (with stacks). In most situations this will at least be logged to stderr.

Thanks @atetubou for the initial fix!

cl/750790337 (google-internal)
cl/752634801 (google-internal)
    @chressie
    chressie authored Apr 29, 2025
    Configuration menu
    Copy the full SHA
    2b790ef View commit details
    Browse the repository at this point in the history
Loading