736074 – (CVE-2020-17353) <media-sound/lilypond-2.21.1-r1: Potential unsafe usage of ghostscript (CVE-2020-17353)

Bug 736074 (CVE-2020-17353) - <media-sound/lilypond-2.21.1-r1: Potential unsafe usage of ghostscript (CVE-2020-17353)

Summary: <media-sound/lilypond-2.21.1-r1: Potential unsafe usage of ghostscript (CVE-2...

Status:	RESOLVED FIXED

Alias:	CVE-2020-17353

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://git.savannah.gnu.org/gitweb/?...
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-08-05 17:02 UTC by John Helmert III
Modified:	2020-08-11 02:48 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	media-sound/lilypond-2.21.1-r1
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-08-05 17:02:07 UTC

CVE-2020-17353:

scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.



Patch, not in a release yet as far as I can tell: https://git.savannah.gnu.org/gitweb/?p=lilypond.git;a=commit;h=b84ea4740f3279516905c5db05f4074e777c16ff

Comment 1 Larry the Git Cow gentoo-dev

2020-08-05 17:57:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b643169012fae9013d509ef7fc19602450113b77

commit b643169012fae9013d509ef7fc19602450113b77
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-08-05 17:57:09 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-08-05 17:57:26 +0000

    media-sound/lilypond: fixed cve-2020-17353
    
    Bug: https://bugs.gentoo.org/736074
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 .../files/lilypond-fix-cve-2020-17353.patch        | 101 ++++++++++++++++
 media-sound/lilypond/lilypond-2.21.1-r1.ebuild     | 130 +++++++++++++++++++++
 ...ond-2.21.4.ebuild => lilypond-2.21.4-r1.ebuild} |   1 +
 3 files changed, 232 insertions(+)

Comment 2 Miroslav Šulc gentoo-dev

2020-08-05 17:58:10 UTC

i think 2.21.1-r1 can go stable if needed.

Comment 3 John Helmert III archtester

2020-08-05 18:04:18 UTC

(In reply to Miroslav Šulc from comment #2)
> i think 2.21.1-r1 can go stable if needed.

Thanks.

Comment 4 Sam James archtester

2020-08-05 23:14:09 UTC

arm64 done

Comment 5 Agostino Sarubbo gentoo-dev

2020-08-07 11:46:09 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-08-07 11:53:57 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Larry the Git Cow gentoo-dev

2020-08-07 12:05:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a38c1ce10a896855b8917a58ffc50bcc693802d

commit 1a38c1ce10a896855b8917a58ffc50bcc693802d
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-08-07 12:04:48 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-08-07 12:04:48 +0000

    media-sound/lilypond: removed vulnerable 2.21.1
    
    Bug: https://bugs.gentoo.org/736074
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-sound/lilypond/lilypond-2.21.1.ebuild | 129 ----------------------------
 1 file changed, 129 deletions(-)

Comment 8 Miroslav Šulc gentoo-dev

2020-08-07 12:05:48 UTC

we're clean now

Comment 9 John Helmert III archtester

2020-08-07 16:42:18 UTC

(In reply to Miroslav Šulc from comment #8)
> we're clean now

Thanks!