Arch Linux Security Advisory ASA-201702-14 ========================================== Severity: Medium Date : 2017-02-17 CVE-ID : CVE-2017-0359 Package : diffoscope Type : arbitrary file overwrite Remote : No Link : https://security.archlinux.org/AVG-175 Summary ======= The package diffoscope before version 77-1 is vulnerable to arbitrary file overwrite. Resolution ========== Upgrade to 77-1. # pacman -Syu "diffoscope>=77-1" The problem has been fixed upstream in version 77. Workaround ========== None. Description =========== It has been discovered that diffoscope may write to arbitrary locations on disk depending on the contents of an untrusted archive. Impact ====== An attacker is able to create a specially crafted archive that, when processed, overwrites arbitrary files on disc. References ========== https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854723 https://anonscm.debian.org/git/reproducible/diffoscope.git/commit/?id=632a40828a54b399787c25e7fa243f732aef7e05 https://security.archlinux.org/CVE-2017-0359