Portmod 2.5.8 has been released. This is a bugfix release, notably
including fixes for two security vulnerabilities, one of which affects
all users.
Note that these vulnerabilities are exploitable by malicious packages
and repositories, making it possible for them to bypass the restricted
permissions of the sandbox and make arbitrary changes to your system,
limited only by the permissions of the account running Portmod.
However, as I think this is the first time I've reported a security
vulnerability in portmod, I think it should be noted that no such
malicious packages are known to exist, and portmod remains a small
enough thing that it's unlikely to be dealing with exploits in the near
future.
Full details can be found on the release page:
https://gitlab.com/portmod/portmod/-/releases/v2.5.8
Benjamin Winger