Reproducible Builds: >> Diffoscope Security Vulnerabilities
diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
CVSS Score
7.5
EPSS Score
0.032
Published
2024-02-27
diffoscope before 77 writes to arbitrary locations on disk based on the contents of an untrusted archive.
CVSS Score
9.8
EPSS Score
0.005
Published
2018-04-13