openSUSE has issued an advisory on May 21: https://lists.opensuse.org/opensuse-updates/2018-05/msg00082.html The new CVE they fixed was due to an incomplete fix for this CVE, which we never fixed (to my knowledge). It's not clear which versions are affected.
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => rverschelde
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898373 it is fixed in 2.19.81. I'm working on importing 2.19.82 which is the latest devel version for cauldron (doc management takes time using an ADSL link !)
Status: NEW => ASSIGNEDCC: (none) => bruno
Whiteboard: (none) => MGA6TOO
2.19.82 submitted to cauldron
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
2.19.82 also submitted to MGA6 core/updates_testing
Assignee: rverschelde => qa-bugsTarget Milestone: --- => Mageia 6
Incorrectly built with a subrel, so it's release is higher than mga7. Do not use subrel when upgrading to a new version. Also, Target Milestone is for Cauldron bugs, saying which stable version we hope to fix it by. It's not for stable updates. Sysadmins, please remove lilypond from mga6 core/updates_testing.
Target Milestone: Mageia 6 => ---CC: (none) => sysadmin-bugsAssignee: qa-bugs => bruno
svn updated, sorry for the error. ready to push when the previous version is removed.
I believe the previous build has been removed. The hdlists haven't been updated, so something else should probably be pushed to updates_testing first.
CC: sysadmin-bugs => (none)
hdlists gets re-generated every time we push validated updates, wich was done last night...
CC: (none) => tmb
lilypond-2.19.82-1.mga6 is now in core/updates_testing
Assignee: bruno => qa-bugs
Advisory: ======================== Updated lilypond packages fix security vulnerability: lilypond does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks (CVE-2017-17523). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17523 https://lists.opensuse.org/opensuse-updates/2018-05/msg00082.html ======================== Updated packages in core/updates_testing: ======================== lilypond-2.19.82-1.mga6 lilypond-doc-2.19.82-1.mga6 from lilypond-2.19.82-1.mga6.src.rpm
Created attachment 10425 [details] lilypond test case 1
CC: (none) => herman.viaene
Created attachment 10426 [details] lilypond test case 2
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Tried (thanks to references in bug 13576) following runs with the attached files: $ lilypond --png -o lilytest lily-0dae7688.ly GNU LilyPond 2.19.82 Verwerken van 'lily-0dae7688.ly' Ontleden... Hernoemen van invoer naar: '/home/gub/gub/target/linux-x86/src/lilypond-git.sv.gnu.org--lilypond.git-stable-2.18/input/regression/accidental-contemporary.ly' Vertolken van muziek... Voorbewerken van grafische objecten... Vertolken van muziek... Voorbewerken van grafische objecten... Berekenen van regeleinden... Tekenen van systemen... Berekenen van regeleinden... Tekenen van systemen... Opmaakuitvoer naar 'lilytest.eps'... Converteren naar PNG... Verwijderen van 'lilytest.eps'... Opmaakuitvoer naar 'lilytest-1.eps'... Opmaakuitvoer naar 'lilytest-2.eps'... Opmaakuitvoer naar 'lilytest-3.eps'... Opmaakuitvoer naar 'lilytest-4.eps'... Schrijven van lilytest-systems.texi... Schrijven van lilytest-systems.tex... Schrijven van lilytest-systems.count... Gelukt: compilatie is met succes voltooid Resulting png file is same as in lilypond site Similarly following cases all produced fine output $ lilypond --pdf -o lilytest lily-0dae7688.ly and $ lilypond --png -o lilytest2 lily-496abe90.ly and $ lilypond --pdf -o lilytest2 lily-496abe90.ly
Whiteboard: (none) => MGA6-32-OK
Testing this on Mageia 6, x86_64. Thanks Herman for the attachments and the pointers. Tried one of the test files before updating. That was OK. There are comments against the CVEs which might lead to a PoC or two for somebody familiar with the interface. Leaving that alone and going for the updates. $ lilypond --png -o lilytest lily-0dae7688.ly GNU LilyPond 2.19.61 Processing `lily-0dae7688.ly' Parsing... [...] $ ls lily-0dae7688.ly lilytest-2.eps lilytest.png lilytest-systems.texi lily-496abe90.ly lilytest-3.eps lilytest-systems.count lilytest-1.eps lilytest-4.eps lilytest-systems.tex lilytest.png is an image of part of a musical score. Repeated the test with --ps to output an encapsulated postscript file lilytest.eps which could be imported into libreoffice and printed out. Looks good. $ lilypond --pdf -o lilytest2 lily-496abe90.ly That generated a one page PDF, lilytest2.pdf which looked fine and printed out from okular. Adding the 64-bit OK.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => tarazed25
Validating. Suggested advisory in Comment 10.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0412.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
mga7, x64 CVE-2020-17353 http://git.savannah.gnu.org/gitweb/?p=lilypond.git;a=commit;h=b84ea4740f3279516905c5db05f4074e777c16ff $ lilypond -dsafe input_regression_les-nereides.ly GNU LilyPond 2.19.83 Processing `input_regression_les-nereides.ly' Parsing... error: program too old: 2.19.83 (file requires: 2.21.0) input_regression_les-nereides.ly:75:38: error: GUILE signaled an error for the expression beginning here \override Fingering.direction = # [...] DOWN Unbound variable: DOWN Interpreting music... warning: type check for `direction' failed; value `#<unspecified>' must be of type `direction' [...] Converting to `input_regression_les-nereides.pdf'... Deleting `/tmp/lilypond-4338Dq'... fatal error: failed files: "input_regression_les-nereides.ly" $ lilypond -dsafe f GNU LilyPond 2.19.83 Processing `f.ly' Parsing... f.ly:1: warning: no \version statement found, please add \version "2.19.83" for future compatibility Interpreting music... Preprocessing graphical objects... Finding the ideal number of pages... Fitting music on 1 page... Drawing systems... Layout output to `/tmp/lilypond-jxz0Bc'... Converting to `f.pdf'... Deleting `/tmp/lilypond-jxz0Bc'... Success: compilation successfully completed lcl@difda:Downloads $ ll f.pdf -rw-r--r-- 1 lcl lcl 27101 Nov 12 12:55 f.pdf This differs from the result upstream. $ ll f.pdf -rw-r--r-- 1 lcl lcl 27101 Nov 12 12:55 f.pdf This displayed a single note score in okular. Updated the two packages and tried the PoC again. No discernible difference for the first one but the second terminated without generating f.pdf. ..... /usr/share/lilypond/2.19.83/scm/define-markup-commands.scm:1108:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps " gsave currentpoint translate 0.1 setlinewidth (x) show grestore ") $ That probably vindicates the patch. Tested on several lilypond files with no problems. $ lilypond lily-0dae7688.ly .... Layout output to `lily-0dae7688-4.eps'... Converting to `./lily-0dae7688-1.pdf'... Converting to `./lily-0dae7688-2.pdf'... Converting to `./lily-0dae7688-3.pdf'... Converting to `./lily-0dae7688-4.pdf'... Writing lily-0dae7688-systems.texi... Writing lily-0dae7688-systems.tex... Writing lily-0dae7688-systems.count... Success: compilation successfully completed The four output PDFs each showed a valid bar of music which could be printed directly from okular. Generated a PNG file and four EPS files from the same input. $ lilypond --png -o lilytest lily-0dae7688.ly .... Layout output to `lilytest-1.eps'... Layout output to `lilytest-2.eps'... Layout output to `lilytest-3.eps'... Layout output to `lilytest-4.eps'... Writing lilytest-systems.texi... Writing lilytest-systems.tex... Writing lilytest-systems.count... Success: compilation successfully completed Imported one of the .eps files into LibreOffice - displays fine. Giving this the OK.
Another oops!