-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 09 Feb 2024 12:22:37 -0800 Source: diffoscope Built-For-Profiles: nocheck Architecture: source Version: 256 Distribution: unstable Urgency: high Maintainer: Reproducible builds folks <reproducible-builds@lists.alioth.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Changes: diffoscope (256) unstable; urgency=high . * Use a determistic name when extracting content from GPG artifacts instead of trusting the value of gpg's --use-embedded-filenames. This prevents a potential information disclosure vulnerability that could have been exploited by providing a specially-crafted GPG file with an embedded filename of, say, "../../.ssh/id_rsa". Many thanks to Daniel Kahn Gillmor <dkg@debian.org> for reporting this issue and providing feedback. (Closes: reproducible-builds/diffoscope#361) * Temporarily fix support for Python 3.11.8 re. a potential regression with the handling of ZIP files. (See reproducible-builds/diffoscope#362) Checksums-Sha1: 4b1e814d39bb41bca62b1b4a21e2fddff7ae73f6 5179 diffoscope_256.dsc 550f068feeed5b9daaf90f5d205d7a0af314c015 2451936 diffoscope_256.tar.xz d6c50efd148b08264c6acb8cbd1026c270250555 7502 diffoscope_256_amd64.buildinfo Checksums-Sha256: 039563f19ebc3b97ecab902555dd424cf135fb8ea50ff087539f6f64c2bf6e96 5179 diffoscope_256.dsc 59d59659979ab62f875e9b7d2ca3fc39540d70238421780310a58b1296bad541 2451936 diffoscope_256.tar.xz db85072b75f1dc70ce98fcef23396d75bd68dfac87c0b26043117e96bc0c8f08 7502 diffoscope_256_amd64.buildinfo Files: 02c33595d6b364ff2eab584ced015b73 5179 devel optional diffoscope_256.dsc b7b94774b1ed5f92621f8087ea29fb7d 2451936 devel optional diffoscope_256.tar.xz 5564240f26c22b5d714bb21cd125f3b0 7502 devel optional diffoscope_256_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmXGikgACgkQHpU+J9Qx Hliz0A//VeWk1DzrzQoJUAUDe8URnUzg6ciyi5ng6q7yhlI9yXjPnl/svu0TOxQh qCA9rqBQ+KBD6O6FV8kfXfpx/3S3zg6zDa1oyIUWEnEtn5oN4z9+iL6MMJ8DzCKz D2GSxdtYsSOK3bmB5PRAIZcPlbgobBMqppVW5ZOAyFxT2F66wyw91p7vpB4oNfSv qUmYh0bn5BAobHjpVQ0MEjrGytHbgPWrFX3V7cEqV4q4/CT38YG7ColDfF7XdNoS aZOe9fwdCzlZ+3VS0Ja9NTKBIUB97unlkO7jUk+cNud0ZT9hvxCfD4Ka5yU7NLM8 pRB+f2+ACQmgUXQTo4lKL3Nfcs8KSfSmr9D7P10csX+39xqSEnNyRRFB5JLmVgRa ab7t4naMUg1Na20Ieq5AvFkrymq+qz2/JZM/bLEDhbZxMls6XzLd0kuo9XRZickP OoWaR7z1Om2R/gkjJtzcSiYcqJsWBQOtqgCQFvafrpy8k7bmD+g2kSvVLsz2I8Qo bUAs+npJKICpLFBNAjK0MdSkM+sAzIeDCZLe4uYgg7FgrGZdm6EWEvJwQsvkPnvR 57DuZw6xCci9EP45nhfbuq93nn3AnV9OmIvKVGiSDjPoL4qer8jC7Nn62UetirU0 Q9IVseE0qsNzzsVwlaw8ysTyViLX2kyJk0kfxnr+VhhobckiLPs= =hGZ8 -----END PGP SIGNATURE-----