mirror of
https://git.yoctoproject.org/poky
synced 2026-02-10 18:53:13 +01:00
82902b3d64
diffoscope before 256 allows directory traversal via an embedded
filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa,
may be disclosed to an attacker. This occurs because the value of the
gpg --use-embedded-filenames option is trusted.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-25711
Upstream patches:
458f7f04bc
(From OE-Core rev: da4977e9414361a30eb322d1456a664515b35693)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
32 lines
1.2 KiB
BlitzBasic
32 lines
1.2 KiB
BlitzBasic
SUMMARY = "in-depth comparison of files, archives, and directories"
|
|
DESCRIPTION = "Tries to get to the bottom of what makes files or directories \
|
|
different. It will recursively unpack archives of many kinds and transform \
|
|
various binary formats into more human-readable form to compare them. \
|
|
It can compare two tarballs, ISO images, or PDF just as easily."
|
|
HOMEPAGE = "https://diffoscope.org/"
|
|
BUGTRACKER = "https://salsa.debian.org/reproducible-builds/diffoscope/-/issues"
|
|
LICENSE = "GPL-3.0-or-later"
|
|
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
|
|
|
|
PYPI_PACKAGE = "diffoscope"
|
|
|
|
inherit pypi setuptools3
|
|
|
|
SRC_URI += " file://CVE-2024-25711.patch"
|
|
SRC_URI[sha256sum] = "2c5c0ac1159eefce158154849fe67f0f527dffc5295bfd3ca1aef14962ffcbcb"
|
|
|
|
RDEPENDS:${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic python3-rpm"
|
|
|
|
# Dependencies don't build for musl
|
|
COMPATIBLE_HOST:libc-musl = 'null'
|
|
|
|
do_install:append:class-native() {
|
|
create_wrapper ${D}${bindir}/diffoscope \
|
|
MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \
|
|
RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
|
|
LD_LIBRARY_PATH=${STAGING_LIBDIR_NATIVE} \
|
|
RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE}
|
|
}
|
|
|
|
BBCLASSEXTEND = "native"
|