CVE-2024-25711

NameCVE-2024-25711
Descriptiondiffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
diffoscope (PTS)bullseye177vulnerable
bookworm240+deb12u1vulnerable
sid, trixie285fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
diffoscopesource(unstable)256

Notes

[bookworm] - diffoscope <no-dsa> (Minor issue)
[bullseye] - diffoscope <no-dsa> (Minor issue)
[buster] - diffoscope <no-dsa> (Minor issue; fix it along the next DLA)
https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361
https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476 (256)

Search for package or bug name: Reporting problems