Fedora has issued an advisory on August 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/ Mageia 7 is also affected.
Status comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA7TOO
Hi, thanks reporting this, Assigning to registered packager.
CC: (none) => ouaurelienAssignee: bugsquad => rverschelde
CC: ouaurelien => (none)
Debian has issued an advisory for this on August 29: https://www.debian.org/security/2020/dsa-4756
openSUSE has issued an advisory for this on September 19: https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00064.html
Patched package uploaded for cauldron and Mageia 7. Advisory: ======================== Updated lilypond package fixes security vulnerability: It was discovered that Lilypond, a program for typesetting sheet music, did not restrict the inclusion of Postscript and SVG commands when operating in safe mode, which could result in the execution of arbitrary code when rendering a typesheet file with embedded Postscript code (CVE-2020-17353). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17353 https://www.debian.org/security/2020/dsa-4756 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/ ======================== Updated packages in core/updates_testing: ======================== lilypond-2.19.83-1.1.mga7 lilypond-doc-2.19.83-1.1.mga7.noarch.rpm from lilypond-2.19.83-1.1.mga7.src.rpm Testing procedure. https://bugs.mageia.org/show_bug.cgi?id=23146#c13 https://bugs.mageia.org/show_bug.cgi?id=23146#c14
CC: (none) => mramboWhiteboard: MGA7TOO => (none)Assignee: rverschelde => qa-bugsVersion: Cauldron => 7Keywords: (none) => has_procedure
mga7, x86_64 CVE-2020-17353 http://git.savannah.gnu.org/gitweb/?p=lilypond.git;a=commit;h=b84ea4740f3279516905c5db05f4074e777c16ff $ lilypond -dsafe input_regression_les-nereides.ly GNU LilyPond 2.19.83 Processing `input_regression_les-nereides.ly' Parsing... error: program too old: 2.19.83 (file requires: 2.21.0) input_regression_les-nereides.ly:75:38: error: GUILE signaled an error for the expression beginning here \override Fingering.direction = # [...] DOWN Unbound variable: DOWN Interpreting music... warning: type check for `direction' failed; value `#<unspecified>' must be of type `direction' [...] Converting to `input_regression_les-nereides.pdf'... Deleting `/tmp/lilypond-4338Dq'... fatal error: failed files: "input_regression_les-nereides.ly" $ lilypond -dsafe f GNU LilyPond 2.19.83 Processing `f.ly' Parsing... f.ly:1: warning: no \version statement found, please add \version "2.19.83" for future compatibility Interpreting music... Preprocessing graphical objects... Finding the ideal number of pages... Fitting music on 1 page... Drawing systems... Layout output to `/tmp/lilypond-jxz0Bc'... Converting to `f.pdf'... Deleting `/tmp/lilypond-jxz0Bc'... Success: compilation successfully completed lcl@difda:Downloads $ ll f.pdf -rw-r--r-- 1 lcl lcl 27101 Nov 12 12:55 f.pdf This differs from the result upstream. $ ll f.pdf -rw-r--r-- 1 lcl lcl 27101 Nov 12 12:55 f.pdf This displayed a single note score in okular. Updated the two packages and tried the PoC again. No discernible difference for the first one but the second terminated without generating f.pdf. ..... /usr/share/lilypond/2.19.83/scm/define-markup-commands.scm:1108:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps " gsave currentpoint translate 0.1 setlinewidth (x) show grestore ") $ That probably vindicates the patch. Tested on several lilypond files with no problems. $ lilypond lily-0dae7688.ly .... Layout output to `lily-0dae7688-4.eps'... Converting to `./lily-0dae7688-1.pdf'... Converting to `./lily-0dae7688-2.pdf'... Converting to `./lily-0dae7688-3.pdf'... Converting to `./lily-0dae7688-4.pdf'... Writing lily-0dae7688-systems.texi... Writing lily-0dae7688-systems.tex... Writing lily-0dae7688-systems.count... Success: compilation successfully completed The four output PDFs each showed a valid bar of music which could be printed directly from okular. Generated a PNG file and four EPS files from the same input. $ lilypond --png -o lilytest lily-0dae7688.ly .... Layout output to `lilytest-1.eps'... Layout output to `lilytest-2.eps'... Layout output to `lilytest-3.eps'... Layout output to `lilytest-4.eps'... Writing lilytest-systems.texi... Writing lilytest-systems.tex... Writing lilytest-systems.count... Success: compilation successfully completed Imported one of the .eps files into LibreOffice - displays fine. Giving this the OK ... and posting it to the wrong bug!
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validated update, packages and Advisory in Comment 4. Advisory pushed to SVN.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0414.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Can anyone tell me why Cauldron was not updated?
CC: (none) => zombie_ryushuCVE: (none) => CVE-2020-17353
(In reply to Zombie Ryushu from comment #8) > Can anyone tell me why Cauldron was not updated? you are wrong cf comment 4 and http://madb.mageia.org/package/show/name/lilypond/release/cauldron/application/0 show we have lilypond-2.20.0-4.mga8.i586.rpm see diff here http://svnweb.mageia.org/packages?view=revision&revision=1644363
Is there any reason we would not upgrade to 2.22.0?
Because we are in version freeze ?
CC: (none) => mageia