dp-golang Go installation could be owned by wrong user
Description
dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
dp-golang before 1.2.7 could install Go binaries with incorrect ownership when run as root on macOS, allowing non-root users to modify the compiler.
Vulnerability
In dp-golang prior to version 1.2.7, when Puppet runs as root and installs a Go tarball for macOS (versions 1.4.3 through 1.21rc3 inclusive, or the bootstrap archives go1.4-bootstrap-20170518.tar.gz or go1.4-bootstrap-20170531.tar.gz), the tar command by default preserves the ownership of entries in the archive. These specific tarballs contain files owned by non-root users (e.g., gopher or UID 501). As a result, the owner and group parameters specified in the Puppet manifest are ignored for files within the archive, leaving them owned by the tarball's original user [1][2][3].
Exploitation
An attacker does not need network access to exploit this vulnerability directly. The flaw is present during the initial installation or reinstallation of a Go distribution by Puppet on a macOS system where Puppet runs as root and the affected Go tarball is used. A non-root user on the system who can access the installed Go files (e.g., the user whose UID matches the archive's owner) could modify those files. No additional authentication or user interaction beyond the normal Puppet run is required [2][3].
Impact
If the Go installation files (including the go compiler binary) are owned by a non-root user, that user can modify them. In the worst case, the compiler can be tampered with to inject vulnerabilities into any compiled Go code. This could compromise other users or systems that subsequently run Go programs built with the compromised compiler, potentially leading to privilege escalation or code execution in a broader context [3].
Mitigation
Update to dp-golang version 1.2.7, released concurrently with this advisory. Version 1.2.7 adds an exec resource that checks the ownership of every file in the Go installation directory and recreates the installation if any file has the wrong owner or group. Additionally, extract flags --no-same-owner and --no-same-permissions are now used to ensure files are created with the Puppet-specified user and group. As a workaround, administrators can manually chown the Go directory to the correct owner and group, but this does not guarantee the files have not already been tampered with [1][2][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.2.7+ 1 more
- (no CPE)range: <1.2.7
- (no CPE)range: < 1.2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755d444e6e8f888mitrex_refsource_MISC
- github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dfd5d6950e7f5mitrex_refsource_MISC
- github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-vv84mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.