CVE-2020-17353: scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code. Patch, not in a release yet as far as I can tell: https://git.savannah.gnu.org/gitweb/?p=lilypond.git;a=commit;h=b84ea4740f3279516905c5db05f4074e777c16ff
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b643169012fae9013d509ef7fc19602450113b77 commit b643169012fae9013d509ef7fc19602450113b77 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-08-05 17:57:09 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-08-05 17:57:26 +0000 media-sound/lilypond: fixed cve-2020-17353 Bug: https://bugs.gentoo.org/736074 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> .../files/lilypond-fix-cve-2020-17353.patch | 101 ++++++++++++++++ media-sound/lilypond/lilypond-2.21.1-r1.ebuild | 130 +++++++++++++++++++++ ...ond-2.21.4.ebuild => lilypond-2.21.4-r1.ebuild} | 1 + 3 files changed, 232 insertions(+)
i think 2.21.1-r1 can go stable if needed.
(In reply to Miroslav Šulc from comment #2) > i think 2.21.1-r1 can go stable if needed. Thanks.
arm64 done
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a38c1ce10a896855b8917a58ffc50bcc693802d commit 1a38c1ce10a896855b8917a58ffc50bcc693802d Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-08-07 12:04:48 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-08-07 12:04:48 +0000 media-sound/lilypond: removed vulnerable 2.21.1 Bug: https://bugs.gentoo.org/736074 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-sound/lilypond/lilypond-2.21.1.ebuild | 129 ---------------------------- 1 file changed, 129 deletions(-)
we're clean now
(In reply to Miroslav Šulc from comment #8) > we're clean now Thanks!