Fork me on Salsa

« Back to homepage

diffoscope 256 released

09 Feb 2024 — Chris Lamb

The diffoscope maintainers are pleased to announce the release of diffoscope version 256. This version includes the following changes:

* CVE-2024-25711: Use a determistic name when extracting content from GPG
  artifacts instead of trusting the value of gpg's --use-embedded-filenames.

  This prevents a potential information disclosure vulnerability that could
  have been exploited by providing a specially-crafted GPG file with an
  embedded filename of, say, "../../.ssh/id_rsa".

  Many thanks to Daniel Kahn Gillmor <> for reporting this
  issue and providing feedback.

  (Closes: reproducible-builds/diffoscope#361)

* Temporarily fix support for Python 3.11.8 re. a potential regression
  with the handling of ZIP files. (See reproducible-builds/diffoscope#362)

You find out more by visiting the project homepage.

« Back to homepage