Bug 27174 - lilypond new security issue CVE-2020-17353
Summary: lilypond new security issue CVE-2020-17353
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Reported: 2020-08-21 23:28 CEST by David Walser
Modified: 2021-01-17 14:46 CET (History)
6 users (show)

See Also:
Source RPM: lilypond-2.19.84-1.mga8.src.rpm
CVE: CVE-2020-17353
Status comment: Patch available from Fedora


Description David Walser 2020-08-21 23:28:08 CEST
Fedora has issued an advisory on August 14:

Mageia 7 is also affected.
David Walser 2020-08-21 23:28:29 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA7TOO

Comment 1 Aurelien Oudelet 2020-08-22 17:18:40 CEST
Hi, thanks reporting this,

Assigning to registered packager.

CC: (none) => ouaurelien
Assignee: bugsquad => rverschelde

Aurelien Oudelet 2020-08-25 11:00:08 CEST

CC: ouaurelien => (none)

Comment 2 David Walser 2020-09-03 21:41:22 CEST
Debian has issued an advisory for this on August 29:
Comment 3 David Walser 2020-09-22 22:23:35 CEST
openSUSE has issued an advisory for this on September 19:
Comment 4 Mike Rambo 2020-11-10 21:10:39 CET
Patched package uploaded for cauldron and Mageia 7.


Updated lilypond package fixes security vulnerability:

It was discovered that Lilypond, a program for typesetting sheet music, did not restrict the inclusion of Postscript and SVG commands when operating in safe mode, which could result in the execution of arbitrary code when rendering a typesheet file with embedded Postscript code (CVE-2020-17353).


Updated packages in core/updates_testing:

from lilypond-2.19.83-1.1.mga7.src.rpm

Testing procedure.

CC: (none) => mrambo
Whiteboard: MGA7TOO => (none)
Assignee: rverschelde => qa-bugs
Version: Cauldron => 7
Keywords: (none) => has_procedure

Comment 5 Len Lawrence 2020-11-12 15:48:19 CET
mga7, x86_64

$ lilypond -dsafe input_regression_les-nereides.ly
GNU LilyPond 2.19.83
Processing `input_regression_les-nereides.ly'
error: program too old: 2.19.83 (file requires: 2.21.0)
input_regression_les-nereides.ly:75:38: error: GUILE signaled an error for the expression beginning here
    \override Fingering.direction = #
Unbound variable: DOWN
Interpreting music...
warning: type check for `direction' failed; value `#<unspecified>' must be of type `direction'
Converting to `input_regression_les-nereides.pdf'...
Deleting `/tmp/lilypond-4338Dq'...
fatal error: failed files: "input_regression_les-nereides.ly"

$ lilypond -dsafe f
GNU LilyPond 2.19.83
Processing `f.ly'
f.ly:1: warning: no \version statement found, please add

\version "2.19.83"

for future compatibility
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
Fitting music on 1 page...
Drawing systems...
Layout output to `/tmp/lilypond-jxz0Bc'...
Converting to `f.pdf'...
Deleting `/tmp/lilypond-jxz0Bc'...
Success: compilation successfully completed
lcl@difda:Downloads $ ll f.pdf
-rw-r--r-- 1 lcl lcl 27101 Nov 12 12:55 f.pdf

This differs from the result upstream.

$ ll f.pdf
-rw-r--r-- 1 lcl lcl 27101 Nov 12 12:55 f.pdf

This displayed a single note score in okular.

Updated the two packages and tried the PoC again.
No discernible difference for the first one but the second terminated without generating f.pdf.
/usr/share/lilypond/2.19.83/scm/define-markup-commands.scm:1108:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps "
gsave currentpoint translate
0.1 setlinewidth
  (x) show 

That probably vindicates the patch.

Tested on several lilypond files with no problems.
$ lilypond lily-0dae7688.ly
Layout output to `lily-0dae7688-4.eps'...
Converting to `./lily-0dae7688-1.pdf'...
Converting to `./lily-0dae7688-2.pdf'...
Converting to `./lily-0dae7688-3.pdf'...
Converting to `./lily-0dae7688-4.pdf'...
Writing lily-0dae7688-systems.texi...
Writing lily-0dae7688-systems.tex...
Writing lily-0dae7688-systems.count...
Success: compilation successfully completed

The four output PDFs each showed a valid bar of music which could be printed directly from okular.
Generated a PNG file and four EPS files from the same input.
$ lilypond --png -o lilytest lily-0dae7688.ly
Layout output to `lilytest-1.eps'...
Layout output to `lilytest-2.eps'...
Layout output to `lilytest-3.eps'...
Layout output to `lilytest-4.eps'...
Writing lilytest-systems.texi...
Writing lilytest-systems.tex...
Writing lilytest-systems.count...
Success: compilation successfully completed

Imported one of the .eps files into LibreOffice - displays fine.

Giving this the OK ... and posting it to the wrong bug!

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 6 Aurelien Oudelet 2020-11-12 20:46:54 CET
Validated update, packages and Advisory in Comment 4.
Advisory pushed to SVN.

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 7 Mageia Robot 2020-11-13 22:22:00 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 8 Zombie Ryushu 2021-01-17 12:37:26 CET
Can anyone tell me why Cauldron was not updated?

CC: (none) => zombie_ryushu
CVE: (none) => CVE-2020-17353

Comment 9 Manuel Hiebel 2021-01-17 12:52:18 CET
(In reply to Zombie Ryushu from comment #8)
> Can anyone tell me why Cauldron was not updated?

you are wrong

cf comment 4
and http://madb.mageia.org/package/show/name/lilypond/release/cauldron/application/0
show we have lilypond-2.20.0-4.mga8.i586.rpm
see diff here http://svnweb.mageia.org/packages?view=revision&revision=1644363
Comment 10 Zombie Ryushu 2021-01-17 13:12:00 CET
Is there any reason we would not upgrade to 2.22.0?
Comment 11 Nicolas Lécureuil 2021-01-17 14:46:50 CET
Because we are in version freeze ?

CC: (none) => mageia

Note You need to log in before you can comment on or make changes to this bug.