From the 256 release notes: """ * CVE-2024-25711: Use a determistic name when extracting content from GPG artifacts instead of trusting the value of gpg's --use-embedded-filenames. This prevents a potential information disclosure vulnerability that could have been exploited by providing a specially-crafted GPG file with an embedded filename of, say, "../../.ssh/id_rsa". Many thanks to Daniel Kahn Gillmor <dkg@debian.org> for reporting this issue and providing feedback. (Closes: reproducible-builds/diffoscope#361) """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c75ab0fd2b82f5e3b6d64a0e2bf86655b53e6134 commit c75ab0fd2b82f5e3b6d64a0e2bf86655b53e6134 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-02-18 09:21:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-18 09:21:23 +0000 dev-util/diffoscope: add 257 Bug: https://bugs.gentoo.org/924883 Signed-off-by: Sam James <sam@gentoo.org> dev-util/diffoscope/Manifest | 1 + dev-util/diffoscope/diffoscope-257.ebuild | 124 ++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+)