Bug 31889

Summary:	lilypond new security issue CVE-2020-17354
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	fri, marja11, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	lilypond-2.24.1-2.mga9.src.rpm	CVE:	CVE-2020-17354
Status comment:	Advisory un comment#6
Attachments:	Simple file to test

Description David Walser 2023-05-07 01:22:04 CEST

Fedora has issued an advisory on April 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MN6Q4OQGESLYJKPCLYKRILLAW23FATKL/

The issue is fixed upstream in 2.24.1.

David Walser 2023-05-07 01:22:25 CEST

Status comment: (none) => Fixed upstream in 2.24.1

Comment 1 Lewis Smith 2023-05-07 21:22:11 CEST Comment hidden (obsolete)

We already have 2.24.1 in Cauldron, leaving just this M8 update.
Bruno, as you did that Cauldron update, is it OK to assign this bug to you for M8? If not, re-assign it to pkg-bugs.

Assignee: bugsquad => bruno

Comment 2 Bruno Cornec 2023-05-08 18:37:06 CEST Comment hidden (obsolete)

Hummm, due to guile deps I don't think it's wise to push that version for m8.

However, it's fine to assign the bug to me ;-)

Status: NEW => ASSIGNED

Comment 3 Bruno Cornec 2023-11-24 03:05:23 CET Comment hidden (obsolete)

I think we should incite people to move to mga9 where lilypond is fixed wrt this issue.

Status: ASSIGNED => RESOLVED
Resolution: (none) => WONTFIX

Comment 4 katnatek 2023-11-24 20:09:52 CET Comment hidden (obsolete)

I see updated lilypond packages on mageia 9 updates testing, I must reopen this bug and covert to mageia 9 or make a new report

Comment 5 Bruno Cornec 2023-11-26 01:22:36 CET

I did push 2.24.2 in august but no one tested it I think.
So I'll update this ticket so QA can validate.

Resolution: WONTFIX => (none)
Status: RESOLVED => REOPENED
Version: 8 => 9
Assignee: bruno => qa-bugs

Comment 6 katnatek 2023-11-26 02:53:06 CET

Advisories:
Updated packages of lilypond fix vulnerability

References:
CVE-2020-17354

Packages in 9/core/updates_testing:
lilypond-2.24.2-2.mga9
lilypond-doc-2.24.2-2.mga9

From SRPM:
lilypond-2.24.2-2.mga9

katnatek 2023-11-26 02:55:22 CET

Source RPM: lilypond-2.20.0-4.mga8.src.rpm => lilypond-2.24.1-2.mga9.src.rpm
CVE: (none) => CVE-2020-17354
Status comment: Fixed upstream in 2.24.1 => Advisory un comment#6

Comment 7 katnatek 2023-11-26 03:29:33 CET

Created attachment 14184 [details]
Simple file to test

Download the file as lilytest.txt
Run as user lilypond lilytest.txt 
The program generate a lilytest.pdf

Comment 8 katnatek 2023-11-26 03:38:29 CET

Tested in real hardware with Mageia 9 i586 lxqt

Install current version without issues
Update to testing version without issue
Run lilypond with the test file (contain a basic example from the web)
The application produce the pdf with the expected content

Comment 9 Morgan Leijström 2023-11-26 12:14:38 CET

Validating per Comment 8 plus packager also use lilypond himself.

Keywords: (none) => validated_update
CC: (none) => fri, sysadmin-bugs

Comment 10 Marja Van Waes 2023-11-26 12:36:19 CET

Advisory from comment 6 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

CC: (none) => marja11
Keywords: (none) => advisory

Comment 11 Mageia Robot 2023-11-27 17:19:57 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0325.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED