Bug 31889 - lilypond new security issue CVE-2020-17354
Summary: lilypond new security issue CVE-2020-17354
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-05-07 01:22 CEST by David Walser
Modified: 2023-11-27 17:19 CET (History)
3 users (show)

See Also:
Source RPM: lilypond-2.24.1-2.mga9.src.rpm
CVE: CVE-2020-17354
Status comment: Advisory un comment#6

Attachments
Simple file to test (36 bytes, text/plain)
2023-11-26 03:29 CET, katnatek 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-05-07 01:22:04 CEST 
Fedora has issued an advisory on April 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MN6Q4OQGESLYJKPCLYKRILLAW23FATKL/

The issue is fixed upstream in 2.24.1.
David Walser 2023-05-07 01:22:25 CEST

Status comment: (none) => Fixed upstream in 2.24.1

Comment 1 Lewis Smith 2023-05-07 21:22:11 CEST Comment hidden (obsolete)

Assignee: bugsquad => bruno

Comment 2 Bruno Cornec 2023-05-08 18:37:06 CEST Comment hidden (obsolete)

Status: NEW => ASSIGNED

Comment 3 Bruno Cornec 2023-11-24 03:05:23 CET Comment hidden (obsolete)

Status: ASSIGNED => RESOLVED
Resolution: (none) => WONTFIX

Comment 4 katnatek 2023-11-24 20:09:52 CET Comment hidden (obsolete)
Comment 5 Bruno Cornec 2023-11-26 01:22:36 CET 
I did push 2.24.2 in august but no one tested it I think.
So I'll update this ticket so QA can validate.

Resolution: WONTFIX => (none)
Status: RESOLVED => REOPENED
Version: 8 => 9
Assignee: bruno => qa-bugs

Comment 6 katnatek 2023-11-26 02:53:06 CET 
Advisories:
Updated packages of lilypond fix vulnerability

References:
CVE-2020-17354

Packages in 9/core/updates_testing:
lilypond-2.24.2-2.mga9
lilypond-doc-2.24.2-2.mga9

From SRPM:
lilypond-2.24.2-2.mga9
katnatek 2023-11-26 02:55:22 CET

Source RPM: lilypond-2.20.0-4.mga8.src.rpm => lilypond-2.24.1-2.mga9.src.rpm
CVE: (none) => CVE-2020-17354
Status comment: Fixed upstream in 2.24.1 => Advisory un comment#6

Comment 7 katnatek 2023-11-26 03:29:33 CET 
Created attachment 14184 [details]
Simple file to test

Download the file as lilytest.txt
Run as user lilypond lilytest.txt 
The program generate a lilytest.pdf
Comment 8 katnatek 2023-11-26 03:38:29 CET 
Tested in real hardware with Mageia 9 i586 lxqt

Install current version without issues
Update to testing version without issue
Run lilypond with the test file (contain a basic example from the web)
The application produce the pdf with the expected content
Comment 9 Morgan Leijström 2023-11-26 12:14:38 CET 
Validating per Comment 8 plus packager also use lilypond himself.

Keywords: (none) => validated_update
CC: (none) => fri, sysadmin-bugs

Comment 10 Marja Van Waes 2023-11-26 12:36:19 CET 
Advisory from comment 6 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

CC: (none) => marja11
Keywords: (none) => advisory

Comment 11 Mageia Robot 2023-11-27 17:19:57 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0325.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.