diffoscope: fix CVE-2024-25711 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Jiaying Song <jiaying.song.cn@windriver.com>	2024-12-04 18:21:18 +0800
committer	Steve Sakoman <steve@sakoman.com>	2024-12-09 07:54:03 -0800
commit	82902b3d64d81fe0e67da723a2270ea1f23dac12 (patch)
tree	47f87dd08368b91400b7f3d251b41b0d8b6ae934 /scripts/lib/resulttool/store.py
parent	450857b441c79898168691082210dbd2cd81bfc1 (diff)
download	poky-82902b3d64d81fe0e67da723a2270ea1f23dac12.tar.gz

diffoscope: fix CVE-2024-25711

diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-25711 Upstream patches: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476 (From OE-Core rev: da4977e9414361a30eb322d1456a664515b35693) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>

Diffstat (limited to 'scripts/lib/resulttool/store.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: