Bug 23146 - lilypond new security issue CVE-2017-17523
Summary: lilypond new security issue CVE-2017-17523
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-06-07 23:47 CEST by David Walser
Modified: 2020-11-12 15:49 CET (History)
8 users (show)

See Also:
Source RPM: lilypond-2.19.61-1.mga6.src.rpm
Status comment:

lilypond test case 1 (2.22 KB, text/x-matlab)
2018-10-24 14:53 CEST, Herman Viaene
lilypond test case 2 (1.38 KB, text/x-matlab)
2018-10-24 14:54 CEST, Herman Viaene

Description David Walser 2018-06-07 23:47:43 CEST
openSUSE has issued an advisory on May 21:

The new CVE they fixed was due to an incomplete fix for this CVE, which we never fixed (to my knowledge).  It's not clear which versions are affected.
Comment 1 Marja Van Waes 2018-06-08 21:34:18 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Comment 2 Bruno Cornec 2018-10-13 01:29:41 CEST
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898373 it is fixed in 2.19.81. I'm working on importing 2.19.82 which is the latest devel version for cauldron (doc management takes time using an ADSL link !)

CC: (none) => bruno

Bruno Cornec 2018-10-13 16:35:27 CEST

Whiteboard: (none) => MGA6TOO

Comment 3 Bruno Cornec 2018-10-13 16:46:58 CEST
2.19.82 submitted to cauldron
David Walser 2018-10-13 17:37:48 CEST

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 Bruno Cornec 2018-10-13 18:52:52 CEST
2.19.82 also submitted to MGA6 core/updates_testing
Bruno Cornec 2018-10-13 18:53:15 CEST

Assignee: rverschelde => qa-bugs
Target Milestone: --- => Mageia 6

Comment 5 David Walser 2018-10-13 21:02:15 CEST
Incorrectly built with a subrel, so it's release is higher than mga7.  Do not use subrel when upgrading to a new version.

Also, Target Milestone is for Cauldron bugs, saying which stable version we hope to fix it by.  It's not for stable updates.

Sysadmins, please remove lilypond from mga6 core/updates_testing.

Target Milestone: Mageia 6 => ---
CC: (none) => sysadmin-bugs
Assignee: qa-bugs => bruno

Comment 6 Bruno Cornec 2018-10-15 02:01:32 CEST
svn updated, sorry for the error. ready to push when the previous version is removed.
Comment 7 David Walser 2018-10-20 01:02:11 CEST
I believe the previous build has been removed.  The hdlists haven't been updated, so something else should probably be pushed to updates_testing first.

CC: sysadmin-bugs => (none)

Comment 8 Thomas Backlund 2018-10-20 10:58:32 CEST
hdlists gets re-generated every time we push validated updates, wich was done last night...

CC: (none) => tmb

Comment 9 Bruno Cornec 2018-10-21 17:39:52 CEST
lilypond-2.19.82-1.mga6 is now in core/updates_testing

Assignee: bruno => qa-bugs

Comment 10 David Walser 2018-10-21 18:52:17 CEST

Updated lilypond packages fix security vulnerability:

lilypond does not validate strings before launching the program specified by the
BROWSER environment variable, which allows remote attackers to conduct
argument-injection attacks (CVE-2017-17523).


Updated packages in core/updates_testing:

from lilypond-2.19.82-1.mga6.src.rpm
Comment 11 Herman Viaene 2018-10-24 14:53:54 CEST
Created attachment 10425 [details]
lilypond test case 1

CC: (none) => herman.viaene

Comment 12 Herman Viaene 2018-10-24 14:54:42 CEST
Created attachment 10426 [details]
lilypond test case 2
Comment 13 Herman Viaene 2018-10-24 15:00:32 CEST
MGA6-32 MATE on IBM Thinkpad  R50e
No installation issues
Tried (thanks to references in bug 13576) following runs with the attached files:
$ lilypond --png -o lilytest lily-0dae7688.ly 
GNU LilyPond 2.19.82
Verwerken van 'lily-0dae7688.ly'
Hernoemen van invoer naar: '/home/gub/gub/target/linux-x86/src/lilypond-git.sv.gnu.org--lilypond.git-stable-2.18/input/regression/accidental-contemporary.ly'
Vertolken van muziek...
Voorbewerken van grafische objecten...
Vertolken van muziek...
Voorbewerken van grafische objecten...
Berekenen van regeleinden... 
Tekenen van systemen... 
Berekenen van regeleinden... 
Tekenen van systemen... 
Opmaakuitvoer naar 'lilytest.eps'...
Converteren naar PNG...
Verwijderen van 'lilytest.eps'...
Opmaakuitvoer naar 'lilytest-1.eps'...
Opmaakuitvoer naar 'lilytest-2.eps'...
Opmaakuitvoer naar 'lilytest-3.eps'...
Opmaakuitvoer naar 'lilytest-4.eps'...
Schrijven van lilytest-systems.texi...
Schrijven van lilytest-systems.tex...
Schrijven van lilytest-systems.count...
Gelukt: compilatie is met succes voltooid

Resulting png file is same as in lilypond site
Similarly following cases all produced fine output
$ lilypond --pdf -o lilytest lily-0dae7688.ly 
$ lilypond --png -o lilytest2 lily-496abe90.ly
$ lilypond --pdf -o lilytest2 lily-496abe90.ly

Whiteboard: (none) => MGA6-32-OK

Comment 14 Len Lawrence 2018-10-24 16:58:46 CEST
Testing this on Mageia 6, x86_64.
Thanks Herman for the attachments and the pointers.

Tried one of the test files before updating.  That was OK.

There are comments against the CVEs which might lead to a PoC or two for somebody familiar with the interface.  Leaving that alone and going for the updates.

$ lilypond --png -o lilytest lily-0dae7688.ly 
GNU LilyPond 2.19.61
Processing `lily-0dae7688.ly'

$ ls
lily-0dae7688.ly  lilytest-2.eps  lilytest.png            lilytest-systems.texi
lily-496abe90.ly  lilytest-3.eps  lilytest-systems.count
lilytest-1.eps    lilytest-4.eps  lilytest-systems.tex

lilytest.png is an image of part of a musical score.
Repeated the test with --ps to output an encapsulated postscript file lilytest.eps which could be imported into libreoffice and printed out.  Looks good.

$ lilypond --pdf -o lilytest2 lily-496abe90.ly

That generated  a one page PDF, lilytest2.pdf which looked fine and printed out from okular.

Adding the 64-bit OK.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => tarazed25

Comment 15 Thomas Andrews 2018-10-26 00:41:25 CEST
Validating. Suggested advisory in Comment 10.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-10-26 15:41:26 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 16 Mageia Robot 2018-10-26 20:48:15 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 17 Len Lawrence 2020-11-12 15:45:17 CET
mga7, x64

$ lilypond -dsafe input_regression_les-nereides.ly
GNU LilyPond 2.19.83
Processing `input_regression_les-nereides.ly'
error: program too old: 2.19.83 (file requires: 2.21.0)
input_regression_les-nereides.ly:75:38: error: GUILE signaled an error for the expression beginning here
    \override Fingering.direction = #
Unbound variable: DOWN
Interpreting music...
warning: type check for `direction' failed; value `#<unspecified>' must be of type `direction'
Converting to `input_regression_les-nereides.pdf'...
Deleting `/tmp/lilypond-4338Dq'...
fatal error: failed files: "input_regression_les-nereides.ly"

$ lilypond -dsafe f
GNU LilyPond 2.19.83
Processing `f.ly'
f.ly:1: warning: no \version statement found, please add

\version "2.19.83"

for future compatibility
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
Fitting music on 1 page...
Drawing systems...
Layout output to `/tmp/lilypond-jxz0Bc'...
Converting to `f.pdf'...
Deleting `/tmp/lilypond-jxz0Bc'...
Success: compilation successfully completed
lcl@difda:Downloads $ ll f.pdf
-rw-r--r-- 1 lcl lcl 27101 Nov 12 12:55 f.pdf

This differs from the result upstream.

$ ll f.pdf
-rw-r--r-- 1 lcl lcl 27101 Nov 12 12:55 f.pdf

This displayed a single note score in okular.

Updated the two packages and tried the PoC again.
No discernible difference for the first one but the second terminated without generating f.pdf.
/usr/share/lilypond/2.19.83/scm/define-markup-commands.scm:1108:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps "
gsave currentpoint translate
0.1 setlinewidth
  (x) show 

That probably vindicates the patch.

Tested on several lilypond files with no problems.
$ lilypond lily-0dae7688.ly
Layout output to `lily-0dae7688-4.eps'...
Converting to `./lily-0dae7688-1.pdf'...
Converting to `./lily-0dae7688-2.pdf'...
Converting to `./lily-0dae7688-3.pdf'...
Converting to `./lily-0dae7688-4.pdf'...
Writing lily-0dae7688-systems.texi...
Writing lily-0dae7688-systems.tex...
Writing lily-0dae7688-systems.count...
Success: compilation successfully completed

The four output PDFs each showed a valid bar of music which could be printed directly from okular.
Generated a PNG file and four EPS files from the same input.
$ lilypond --png -o lilytest lily-0dae7688.ly
Layout output to `lilytest-1.eps'...
Layout output to `lilytest-2.eps'...
Layout output to `lilytest-3.eps'...
Layout output to `lilytest-4.eps'...
Writing lilytest-systems.texi...
Writing lilytest-systems.tex...
Writing lilytest-systems.count...
Success: compilation successfully completed

Imported one of the .eps files into LibreOffice - displays fine.

Giving this the OK.
Comment 18 Len Lawrence 2020-11-12 15:49:26 CET
Another oops!

Note You need to log in before you can comment on or make changes to this bug.