1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-16 15:57:04 +00:00
Files
Jiaying Song 82902b3d64 diffoscope: fix CVE-2024-25711
diffoscope before 256 allows directory traversal via an embedded
filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa,
may be disclosed to an attacker. This occurs because the value of the
gpg --use-embedded-filenames option is trusted.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-25711

Upstream patches:
https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476

(From OE-Core rev: da4977e9414361a30eb322d1456a664515b35693)

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-12-09 07:54:03 -08:00
..
2024-12-09 07:54:03 -08:00