From unknown Sun Jun 22 22:42:56 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#69007 <69007@debbugs.gnu.org>
To: bug#69007 <69007@debbugs.gnu.org>
Subject: Status: diffoscope: Update to 256. [security fixes]
Reply-To: bug#69007 <69007@debbugs.gnu.org>
Date: Mon, 23 Jun 2025 05:42:56 +0000

retitle 69007 diffoscope: Update to 256. [security fixes]
reassign 69007 guix-patches
submitter 69007 Vagrant Cascadian <vagrant@reproducible-builds.org>
severity 69007 normal

thanks


From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 09 16:27:41 2024
Received: (at submit) by debbugs.gnu.org; 9 Feb 2024 21:27:41 +0000
Received: from localhost ([127.0.0.1]:39345 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1rYYPN-0006ye-8N
	for submit@debbugs.gnu.org; Fri, 09 Feb 2024 16:27:41 -0500
Received: from lists.gnu.org ([2001:470:142::17]:46688)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <vagrant@reproducible-builds.org>) id 1rYYPL-0006yJ-Bc
 for submit@debbugs.gnu.org; Fri, 09 Feb 2024 16:27:40 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <vagrant@reproducible-builds.org>)
 id 1rYYOz-0003VN-5H
 for guix-patches@gnu.org; Fri, 09 Feb 2024 16:27:17 -0500
Received: from cascadia.aikidev.net ([2600:3c01:e000:267:0:a171:de7:c])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <vagrant@reproducible-builds.org>)
 id 1rYYOx-0000mm-Im
 for guix-patches@gnu.org; Fri, 09 Feb 2024 16:27:16 -0500
Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:50])
 (Authenticated sender: vagrant@aikidev.net)
 by cascadia.aikidev.net (Postfix) with ESMTPSA id 20D9D1AABC
 for <guix-patches@gnu.org>; Fri,  9 Feb 2024 13:27:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=reproducible-builds.org; s=1.vagrant; t=1707514029;
 bh=Vd506CoSfj0wC2LB3OGNylLA/fjHzewgREyxFdf9U7M=;
 h=From:To:Subject:Date:From;
 b=B8is20is60uGDTyHaDvxP/695wuuZRLfMRKYkj69SSzfSXVAPuzKkCB/vcXXxRAT0
 /Nyqxdf/NUi3DnZK/fUGr6id4L7pwCbW3Ve2OIp7D4sQTG5QqePdnvGUs+/mWoF0np
 G6lTvwoHsNMYIk4n3UX3CLeMoJR7NNNB4KBkJnCavx4EB3gZp3mEero9kaLphr6dcN
 TbPo06Yh2SAK9IZ+gdeNuX6VHZNX1zyVLeV0I31BNIwmpQsWZM44ug+fZu6SlhGMFg
 sNGrAG8/0BzOSWarJVhlJRYJpLH3dJQfHy8Ood1oIAcHfxpMHtrDV+MmvdL+ABlGkx
 I6FzMOL6YYGvg==
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: guix-patches@gnu.org
Subject: diffoscope: Update to 256. [security fixes]
Date: Fri, 09 Feb 2024 13:27:02 -0800
Message-ID: <87r0hl2us9.fsf@wireframe>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=2600:3c01:e000:267:0:a171:de7:c;
 envelope-from=vagrant@reproducible-builds.org; helo=cascadia.aikidev.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain

The attached patch updates diffoscope to 256, which contains a security
fix for directory traversals when using gpg.

Both diffoscope and it's dependent, reprotest, still build fine!

I am not sure what the expedited process for security updates are, but
if there is anything I can do, please let me know!

live well,
  vagrant

--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline;
 filename=0001-gnu-diffoscope-Update-to-256.-security-fixes.patch
Content-Transfer-Encoding: quoted-printable

From=209dcababcf0e94ddab30de91054e04400b263879c Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@debian.org>
Date: Fri, 9 Feb 2024 12:58:57 -0800
Subject: [PATCH] gnu: diffoscope: Update to 256. [security fixes]

Fixes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361

* gnu/packages/diffoscope.scm (diffoscope): Update to 256.
=2D--
 gnu/packages/diffoscope.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm
index 626ac00425..f4d271f690 100644
=2D-- a/gnu/packages/diffoscope.scm
+++ b/gnu/packages/diffoscope.scm
@@ -74,7 +74,7 @@ (define-module (gnu packages diffoscope)
 (define-public diffoscope
   (package
     (name "diffoscope")
=2D    (version "255")
+    (version "256")
     (source
      (origin
        (method git-fetch)
@@ -83,7 +83,7 @@ (define-public diffoscope
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
=2D        (base32 "07mkmwp3ni2dh5w5q2vxkc588l5dabcly3jrd8ic62318si7d400"))=
))
+        (base32 "1sdg314a3hp2kv492130p8w7j8mlhymij7h2rndm4q7gqrshp6jf"))))
     (build-system python-build-system)
     (arguments
      (list

base-commit: 513755d64debb44096f21e323a5b89a7a597d2ca
=2D-=20
2.39.2


--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZcaYpgAKCRDcUY/If5cW
qv9HAP9d5ZAeamKDymuwhScKsXuAhiyLCFBrys2J19w/nsCsQwEAn6O5PqMsgRfX
CV+XCSwpcInIgW/uh2+eleYvQk36yw8=
=VcX+
-----END PGP SIGNATURE-----
--==-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 09 16:41:57 2024
Received: (at 69007) by debbugs.gnu.org; 9 Feb 2024 21:41:57 +0000
Received: from localhost ([127.0.0.1]:40247 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1rYYdA-0007ar-PE
	for submit@debbugs.gnu.org; Fri, 09 Feb 2024 16:41:57 -0500
Received: from mail-40134.protonmail.ch ([185.70.40.134]:26711)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <john.kehayias@protonmail.com>) id 1rYYd8-0007aT-Np
 for 69007@debbugs.gnu.org; Fri, 09 Feb 2024 16:41:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1707514892; x=1707774092;
 bh=SwDFdEfIRdIr4IE5QTpV7roP462D2D1X3J57fLHOKrU=;
 h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=ShZD55zZR7uTK98hegjmOeA0WJeOUaodywad6XD/K4zbww4oz3epiBV/PopsYyx4S
 fwyFjYOzMUG7FktJoQAR7UpJmEvcXBfuRkkS2pe0iuEQYN6wo9+5JZTEYWs2N0LLj3
 c0Dugyk0Kr/sj0DYNcomQ3+ONPBdKpNFolAHFow0qW4jyqfxEyDCuDAIXZSu3CkdvJ
 Y49T8K07kCgV/vyTjweiggC++KD2HyXAkhoOTtxaPMbKg/nhuxcFhk841giUtWW+uT
 yxvY3O8RILR9aDAB+nUVaJnjgnYUXqp2T5qeY2wEkTqTghv4B8sGQED1x9ddGVMT0Q
 eb+wJNB5StR5g==
Date: Fri, 09 Feb 2024 21:41:27 +0000
To: Vagrant Cascadian <vagrant@reproducible-builds.org>
From: John Kehayias <john.kehayias@protonmail.com>
Subject: Re: bug#69007: diffoscope: Update to 256. [security fixes]
Message-ID: <87mss98ge4.fsf@protonmail.com>
Feedback-ID: 7805494:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 69007
Cc: 69007@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi vagrant!

On Fri, Feb 09, 2024 at 01:27 PM, Vagrant Cascadian wrote:

> The attached patch updates diffoscope to 256, which contains a security
> fix for directory traversals when using gpg.
>
> Both diffoscope and it's dependent, reprotest, still build fine!
>

Great, thank you! (following up here for posterity; discussed via IRC)

> I am not sure what the expedited process for security updates are, but
> if there is anything I can do, please let me know!
>

As we discussed, we should formalize some CC-ing of the security list,
or a separate security team for reviewing patches (for public flaws,
rather than reporting them). And making sure "[security fixes]" is
noted, as you did here, for easy sorting.

> live well,
>   vagrant
>
> From 9dcababcf0e94ddab30de91054e04400b263879c Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant@debian.org>
> Date: Fri, 9 Feb 2024 12:58:57 -0800
> Subject: [PATCH] gnu: diffoscope: Update to 256. [security fixes]
>

In any event, patch looks good and as a leaf with a pretty trivial
patch, I think you would be clear to push directly to begin with. There
was some discussion a while back at what is "trivial," but a version
update with 1 dependent is about as easy as it gets. Perhaps another
thing to make sure we are on the same page about but I doubt anyone
would complain if you had pushed this directly.

We could also let QA build, since it is back up, but again, very minor
concern here if something were to break.

Anyway, please do push! I might put "[security fixes]" before the period
in the commit message to match previous ones, but that is very minor.

Thanks again!
John

> Fixes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/3=
61
>
> * gnu/packages/diffoscope.scm (diffoscope): Update to 256.
> ---
>  gnu/packages/diffoscope.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm
> index 626ac00425..f4d271f690 100644
> --- a/gnu/packages/diffoscope.scm
> +++ b/gnu/packages/diffoscope.scm
> @@ -74,7 +74,7 @@ (define-module (gnu packages diffoscope)
>  (define-public diffoscope
>    (package
>      (name "diffoscope")
> -    (version "255")
> +    (version "256")
>      (source
>       (origin
>         (method git-fetch)
> @@ -83,7 +83,7 @@ (define-public diffoscope
>               (commit version)))
>         (file-name (git-file-name name version))
>         (sha256
> -        (base32 "07mkmwp3ni2dh5w5q2vxkc588l5dabcly3jrd8ic62318si7d400"))=
))
> +        (base32 "1sdg314a3hp2kv492130p8w7j8mlhymij7h2rndm4q7gqrshp6jf"))=
))
>      (build-system python-build-system)
>      (arguments
>       (list
>
> base-commit: 513755d64debb44096f21e323a5b89a7a597d2ca





From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 09 17:19:23 2024
Received: (at 69007-done) by debbugs.gnu.org; 9 Feb 2024 22:19:23 +0000
Received: from localhost ([127.0.0.1]:42596 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1rYZDP-0000pq-38
	for submit@debbugs.gnu.org; Fri, 09 Feb 2024 17:19:23 -0500
Received: from cascadia.aikidev.net ([173.255.214.101]:34386)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <vagrant@reproducible-builds.org>) id 1rYZDM-0000pT-FK
 for 69007-done@debbugs.gnu.org; Fri, 09 Feb 2024 17:19:21 -0500
Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:50])
 (Authenticated sender: vagrant@aikidev.net)
 by cascadia.aikidev.net (Postfix) with ESMTPSA id 072091AABC
 for <69007-done@debbugs.gnu.org>; Fri,  9 Feb 2024 14:18:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=reproducible-builds.org; s=1.vagrant; t=1707517136;
 bh=UMb882W7t3We0DdSD66mZ05wj1ErhiNvxJ4fUHsb0YI=;
 h=From:To:Subject:In-Reply-To:References:Date:From;
 b=iA+SoVoEeuecp5kLsQR5nWWqH2yKG3Yno+OyLZ15DSNEI1Ea9HgV/daH1i8dYohgU
 e4RG8gX1fl13RhRV7w4dH7ApjHWHxEib+eqHoCsVHIEnoSPlzKXyBbpXQzGiYxtiQZ
 ETV89G9CNBLgDwR0WdX30lgB+AE1gmpTKsQm0G7v1uP6MJ/jhx4r8NFPHSPw7mAzNg
 gqC5AFQ3zoV0btBnH6tvo26y3LE/qyv3rghouzK0oNrwuKRa+yNIDQiTuvlqsdHwKM
 8edb+NuXnV5j+1tCEJ2NxDW3oKtMpINZWmf524pBTACXL7QRszC/oqq4MbCaNMCrO2
 PM7oGwGzB5Big==
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: 69007-done@debbugs.gnu.org
Subject: Re: diffoscope: Update to 256. [security fixes]
In-Reply-To: <87r0hl2us9.fsf@wireframe>
References: <87r0hl2us9.fsf@wireframe>
Date: Fri, 09 Feb 2024 14:18:52 -0800
Message-ID: <87jznd2sdv.fsf@wireframe>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 69007-done
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain

On 2024-02-09, Vagrant Cascadian wrote:
> The attached patch updates diffoscope to 256, which contains a security
> fix for directory traversals when using gpg.
>
> Both diffoscope and it's dependent, reprotest, still build fine!

Pushed as 30196aec07dab8cc0f4a614b160f1857377a6a84.

live well,
  vagrant

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZcakzQAKCRDcUY/If5cW
qoX3AQCauYNAXkyBaWcfSrl/wSuYXMDSg72jQHbac0smDOaNxQEAl3HJCJlfKaf0
R9uG0DO9bl3RndWqo4Ci/wnMXHNiPAk=
=Z3Dg
-----END PGP SIGNATURE-----
--=-=-=--




From unknown Sun Jun 22 22:42:56 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Sat, 09 Mar 2024 12:24:05 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator