Bugzilla – Bug 1025086
VUL-0: CVE-2017-0359 diffoscope: writes to arbitrary locations on disk based on the contents of an untrusted archive
Last modified: 2018-02-21 07:08:43 UTC
diffoscope may write to arbitrary locations on disk depending on the contents of an untrusted archive. Upstream patch: https://anonscm.debian.org/git/reproducible/diffoscope.git/commit/?id=632a40828a54b399787c25e7fa243f732aef7e05 diffoscope is only in factory. References: https://bugzilla.redhat.com/show_bug.cgi?id=1421770 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0359
bugbot adjusting priority
please submit
Yes, it's mine, thanks. I've updated package to 3h old release and prepared https://build.opensuse.org/request/show/514078
this seems to have been fixed back in August, so closing
hmm, but it got into Leap in the meantime. submitting the Factory version to Leap as MR 561144 and handing over to security
This is an autogenerated message for OBS integration: This bug (1025086) was mentioned in https://build.opensuse.org/request/show/561144 42.3 / diffoscope
openSUSE-SU-2018:0060-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1025086 CVE References: CVE-2017-0359 Sources used: openSUSE Leap 42.3 (src): diffoscope-85-3.1
released