CVE-2024-25711

NameCVE-2024-25711
Descriptiondiffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
diffoscope (PTS)buster113vulnerable
bullseye177vulnerable
bookworm240vulnerable
sid, trixie271fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
diffoscopesource(unstable)256

Notes

[bookworm] - diffoscope <no-dsa> (Minor issue)
[bullseye] - diffoscope <no-dsa> (Minor issue)
[buster] - diffoscope <no-dsa> (Minor issue; fix it along the next DLA)
https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361
https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476 (256)

Search for package or bug name: Reporting problems