diffoscope before 76 writes to arbitrary locations on disk based on the contents of an untrusted archive.
bugs.debian.org/cgi-bin/bugreport.cgi?bug=854723
github.com/anthraxx/diffoscope
github.com/anthraxx/diffoscope/commit/632a40828a54b399787c25e7fa243f732aef7e05
github.com/anthraxx/diffoscope/commit/f379d1f611dbd5d361e12b732e07c8aee45ff226
nvd.nist.gov/vuln/detail/CVE-2017-0359
security-tracker.debian.org/tracker/CVE-2017-0359