Bug#1115301: marked as done (golang-1.24 - fs.ReadDir silently truncates directories)

[Debian Bug Tracking System]

Your message dated Fri, 23 Jan 2026 07:22:01 +0000
with message-id <e1vjbux-0000000cqat-0...@fasolo.debian.org>
and subject line Bug#1115301: fixed in golang-1.25 1.25.6-1
has caused the Debian Bug report #1115301,
regarding golang-1.24 - fs.ReadDir silently truncates directories
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1115301: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115301
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: golang-1.24
Version: 1.24.4-3
Severity: grave
X-Debbugs-Cc: wa...@debian.org

fs.ReadDir silently fails to read directories fully.  As no error shows
up anywhere, this is silent data corruption, hence grave.

Go test code:
| package main
| 
| import (
|       "fmt"
|       "io/fs"
|       "os"
| )
| 
| func main() {
|       fsys := os.DirFS(os.Args[1])
|       entries, _ := fs.ReadDir(fsys, ".")
|       count := 0
|       for _, entry := range entries {
|               info, _ := entry.Info()
|               fmt.Println(info.Name(), info.IsDir())
|               count += 1
|       }
|       fmt.Println("found without '.' and '..':", count)
| }

C test code:
| #include <sys/types.h>
| #include <dirent.h>
| #include <stdio.h>
| 
| int main(int argc, char *argv[]) {
|   DIR* dirp = opendir(argv[1]);
|   struct dirent *dp;
|   int count = 0;
| 
|   while (dirp) {
|     if ((dp = readdir(dirp)) != NULL) {
|       printf("%llu %llu %u %s\n", (long long unsigned)dp->d_ino, (long long 
unsigned)dp->d_off, dp->d_type, dp->d_name);
|       count++;
|     }
|     else
|       break;
|   }
|   printf("found %d entries\n", count);
| 
|   return 0;
| }

If I use them on the same directory, which is implemented via FUSE, the
Go test ends with:

| found without '.' and '..': 46

The C test however shows many more:

| found 65 entries

strace on the Go test shows:

| getdents64(3, 0xc0000be000 /* 48 entries */, 8192) = 1520
| getdents64(3, 0xc0000be000 /* 17 entries */, 8192) = 544
| getdents64(3, 0xc0000be000 /* 0 entries */, 8192) = 0

Aka it find all entries from the first getdents64 call (46 plus "." and
".."), but then fails there somewhere without signaling the caller.

No warning about silent corruption is given in
https://pkg.go.dev/io/fs#ReadDir.

I would assume the underlying cause is the filesystem returning
DT_UNKNOWN as type for "." and "..", which it is allowed to do in all
cases.

-- System Information:
Debian Release: forky/sid
  APT prefers testing
  APT policy: (700, 'testing'), (500, 'unstable-debug'), (500, 
'stable-updates'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.16.5+deb14-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages golang-1.24 depends on:
ii  golang-1.24-doc  1.24.4-3
ii  golang-1.24-go   1.24.4-3
ii  golang-1.24-src  1.24.4-3

golang-1.24 recommends no packages.

golang-1.24 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: golang-1.25
Source-Version: 1.25.6-1
Done: Tianon Gravi <tia...@debian.org>

We believe that the bug you reported is fixed in the latest version of
golang-1.25, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1115...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tianon Gravi <tia...@debian.org> (supplier of updated golang-1.25 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 22 Jan 2026 23:07:54 -0800
Source: golang-1.25
Architecture: source
Version: 1.25.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Compiler Team <team+go-compi...@tracker.debian.org>
Changed-By: Tianon Gravi <tia...@debian.org>
Closes: 1115301 1121847 1125464 1125916
Changes:
 golang-1.25 (1.25.6-1) unstable; urgency=medium
 .
   [ Anshul Singh ]
   * Update to 1.25.5 upstream release
     https://go.dev/doc/devel/release#go1.25.5
     - crypto/x509: excessive resource consumption in printing error string for 
host certificate validation
     - crypto/x509: excluded subdomain constraint does not restrict wildcard 
SANs
 .
   [ Tianon Gravi ]
   * Update to 1.25.6 upstream release
 .
     1.25.6: (Closes: #1125916)
     - https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc/m/pQP7Bk0aCQAJ
 .
     - CVE-2025-61728: https://go.dev/issue/77102
       archive/zip: denial of service when parsing arbitrary ZIP archives
 .
     - CVE-2025-61726: https://go.dev/issue/77101
       net/http: memory exhaustion in Request.ParseForm
 .
     - CVE-2025-68121: https://go.dev/issue/77113
       crypto/tls: Config.Clone copies automatically generated session ticket
       keys, session resumption does not account for the expiration of full
       certificate chain
 .
     - CVE-2025-61731: https://go.dev/issue/77100
       cmd/go: bypass of flag sanitization can lead to arbitrary code
       execution
 .
     - CVE-2025-68119: https://go.dev/issue/77099
       cmd/go: unexpected code execution when invoking toolchain
 .
     - CVE-2025-61730: https://go.dev/issue/76443
       crypto/tls: handshake messages may be processed at the incorrect
       encryption level
 .
     - os: allow direntries to have zero inodes on Linux (Closes: #1115301)
 .
     1.25.5: (Closes: #1121847)
     - https://groups.google.com/g/golang-announce/c/8FJoBkPddm4/m/kYpVlPw1CQAJ
 .
     - CVE-2025-61729: https://go.dev/issue/76445
       crypto/x509: excessive resource consumption in printing error string for
       host certificate validation
 .
     - CVE-2025-61727: https://go.dev/issue/76442
       crypto/x509: excluded subdomain constraint does not restrict wildcard
       SANs
 .
     1.25.4:
     - https://groups.google.com/g/golang-announce/c/tVVHm9gnwl8/m/-oTvYIjCAQAJ
 .
   * Fix build with DEB_BUILD_OPTIONS=terse (Closes: #1125464)
     (solution borrowed from xz-utils debian/rules)
Checksums-Sha1:
 98806988a72f4a1ebfb53f9d6c751243274afc16 2947 golang-1.25_1.25.6-1.dsc
 c3de36c316f7b3d1c219534e6713abefd43d0d75 31987986 
golang-1.25_1.25.6.orig.tar.gz
 75be6762f032fe2760ef96f7696ded2502771663 833 golang-1.25_1.25.6.orig.tar.gz.asc
 bab5fa3283e45bea1492c0fb58a427443a34e9d5 45140 
golang-1.25_1.25.6-1.debian.tar.xz
 50fb8bfce9062ae65641a621736c85a807981e65 5631 
golang-1.25_1.25.6-1_source.buildinfo
Checksums-Sha256:
 23bc98e233504e6dc15ef328c1ba062a68b91994672fe276b68eb0c3258e1f85 2947 
golang-1.25_1.25.6-1.dsc
 58cbf771e44d76de6f56d19e33b77d745a1e489340922875e46585b975c2b059 31987986 
golang-1.25_1.25.6.orig.tar.gz
 0c6dc240f9bb8b8277f9bd563a93c697074ced149c95e676ff4f51c396972c03 833 
golang-1.25_1.25.6.orig.tar.gz.asc
 4883d22f428dd05adabbf753c44171cb3e88a0a07c6103f8fba7dad2f2aedb73 45140 
golang-1.25_1.25.6-1.debian.tar.xz
 8826591470b5e80d938ccdfcea3ff117d2840664e2c896423ffa845a91dab656 5631 
golang-1.25_1.25.6-1_source.buildinfo
Files:
 de483f0b52642df4a968ceff2ea25f34 2947 golang optional golang-1.25_1.25.6-1.dsc
 6451131ecdfe1ee666f52cc3cd9257d9 31987986 golang optional 
golang-1.25_1.25.6.orig.tar.gz
 33218f18f48413ed4498fa2a6c8c95f2 833 golang optional 
golang-1.25_1.25.6.orig.tar.gz.asc
 5ae1826ceb0622ecda07d789d5f8f27f 45140 golang optional 
golang-1.25_1.25.6-1.debian.tar.xz
 aad4d36f232dd6d9c9f0f22750b433bf 5631 golang optional 
golang-1.25_1.25.6-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEtC9oGQB/APiONk/UA2qcJb81fdQFAmlzHrkSHHRpYW5vbkBk
ZWJpYW4ub3JnAAoJEANqnCW/NX3UQCgQAIzg/8GMUFBNFIQoi9CxMtcjSZBen1EX
Flqb+5JPrvIvbrmgn8DBaYpvwzHbYXaLoiK3xsVgFz2B+anE2ge3wtp02/rbBgD6
0rpsooc2xf3MokaZ5kOs2meY55K7qqZPI/8Vg5RxYh8B1Id61V7S5ZFSNE7Ok4eY
9IMZC5dkxe5Trsfbm7NVKdxzciEBKqpRqQZcKlMtP61Y54EfKm/KC0+QYsxPZqBI
WyzK0SvrjABfiC01gC2dWmIt8Mtf9YUnVTU0DWXhycALuzfCcNIxsa9q2gaUDKEu
2HJAbvDK+aRDcr3S32a5GHG/BE7zElVU449Q6Z6Q1CNifhyvyFaoEY5DQtQfl5jU
FQFXJzPKmLbQwZZ/ZNVojEeBcpRLcoVxznZA3vmsHpA54o9cy5KoqhCYccZKrsEy
jgQcCJVkewrD/2L3iltxdHQLhbkMIrsAJfNol6Vu+mjvW37uW3wg2cuBY2NAsLIU
Ap8eq9FoGzkYoJH37jPlU1l/0KCIg2dxUjOOoHze4HGkWdYUlWNKDFCQnbdyp6k3
U2uKlJdNUX53kpoflybBDd3J2oyaNavYAxsuNybvqJOBzSQrjIfiK80FG+Vnu/Et
xNUM8F/l/FNSDWZGr6qL2Um1DnRWVW5kqSjPUDxbu+2kImcumAonfB4+fL+pXO+/
pYkLxv2WyTNk
=qxys
-----END PGP SIGNATURE-----

pgpcNDku95_ch.pgp
Description: PGP signature

--- End Message ---