cmd/go: use MkdirTemp to create temp directory for "go bug"

Don't use a predictable, potentially attacker-controlled filename in /tmp. Fixes #78584 Fixes CVE-2026-39819 Change-Id: I72116aa6dd8fa50f65b6dc0292a15a8c6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/763882 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Nicholas Husin <nsh@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
author: Damien Neil <dneil@google.com> 2026-04-08 09:55:54 -0700
committer: Damien Neil <dneil@google.com> 2026-04-08 11:07:50 -0700
commit: 5d6aa23e5b6151d25955a512532383c28c745e18 (patch)
tree: 6e8e6af9ecbadaff70296a16c404bafc8f2ebb2d
parent: 352d76b2912b20ede8b3238fc2ed7b697bc2695b (diff)
download: go-5d6aa23e5b6151d25955a512532383c28c745e18.tar.xz
1 files changed, 3 insertions, 3 deletions
diff --git a/src/cmd/go/internal/bug/bug.go b/src/cmd/go/internal/bug/bug.go
index a6b2b1d623..1e43e11551 100644
--- a/src/cmd/go/internal/bug/bug.go
+++ b/src/cmd/go/internal/bug/bug.go
@@ -184,14 +184,14 @@ func firstLine(buf []byte) []byte {
 // printGlibcVersion prints information about the glibc version.
 // It ignores failures.
 func printGlibcVersion(w io.Writer) {
-	tempdir := os.TempDir()
-	if tempdir == "" {
+	tempdir, err := os.MkdirTemp("", "")
+	if err != nil {
 		return
 	}
 	src := []byte(`int main() {}`)
 	srcfile := filepath.Join(tempdir, "go-bug.c")
 	outfile := filepath.Join(tempdir, "go-bug")
-	err := os.WriteFile(srcfile, src, 0644)
+	err = os.WriteFile(srcfile, src, 0644)
 	if err != nil {
 		return
 	}
author	Damien Neil <dneil@google.com>	2026-04-08 09:55:54 -0700
committer	Damien Neil <dneil@google.com>	2026-04-08 11:07:50 -0700
commit	5d6aa23e5b6151d25955a512532383c28c745e18 (patch)
tree	6e8e6af9ecbadaff70296a16c404bafc8f2ebb2d
parent	352d76b2912b20ede8b3238fc2ed7b697bc2695b (diff)
download	go-5d6aa23e5b6151d25955a512532383c28c745e18.tar.xz