Reproducible Builds Diffoscope vulnerabilities

CVE-2024-25711 [HIGH] CWE-22 CVE-2024-25711: diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.

CVE-2017-0359 [CRITICAL] CVE-2017-0359: diffoscope before 77 writes to arbitrary locations on disk based on the contents of an untrusted arc diffoscope before 77 writes to arbitrary locations on disk based on the contents of an untrusted archive.