Upstream information

CVE-2024-25711 at MITRE

Description

diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.

SUSE Bugzilla entry: 1220157 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • diffoscope >= 261-1.1
Patchnames:
openSUSE-Tumbleweed-2024-13792


SUSE Timeline for this CVE

CVE page created: Sun Feb 18 15:00:05 2024
CVE page last modified: Tue Sep 3 19:32:58 2024