Fedora has issued an advisory on April 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MN6Q4OQGESLYJKPCLYKRILLAW23FATKL/ The issue is fixed upstream in 2.24.1.
Status comment: (none) => Fixed upstream in 2.24.1
We already have 2.24.1 in Cauldron, leaving just this M8 update. Bruno, as you did that Cauldron update, is it OK to assign this bug to you for M8? If not, re-assign it to pkg-bugs.
Assignee: bugsquad => bruno
Hummm, due to guile deps I don't think it's wise to push that version for m8. However, it's fine to assign the bug to me ;-)
Status: NEW => ASSIGNED
I think we should incite people to move to mga9 where lilypond is fixed wrt this issue.
Status: ASSIGNED => RESOLVEDResolution: (none) => WONTFIX
I see updated lilypond packages on mageia 9 updates testing, I must reopen this bug and covert to mageia 9 or make a new report
I did push 2.24.2 in august but no one tested it I think. So I'll update this ticket so QA can validate.
Resolution: WONTFIX => (none)Status: RESOLVED => REOPENEDVersion: 8 => 9Assignee: bruno => qa-bugs
Advisories: Updated packages of lilypond fix vulnerability References: CVE-2020-17354 Packages in 9/core/updates_testing: lilypond-2.24.2-2.mga9 lilypond-doc-2.24.2-2.mga9 From SRPM: lilypond-2.24.2-2.mga9
Source RPM: lilypond-2.20.0-4.mga8.src.rpm => lilypond-2.24.1-2.mga9.src.rpmCVE: (none) => CVE-2020-17354Status comment: Fixed upstream in 2.24.1 => Advisory un comment#6
Created attachment 14184 [details] Simple file to test Download the file as lilytest.txt Run as user lilypond lilytest.txt The program generate a lilytest.pdf
Tested in real hardware with Mageia 9 i586 lxqt Install current version without issues Update to testing version without issue Run lilypond with the test file (contain a basic example from the web) The application produce the pdf with the expected content
Validating per Comment 8 plus packager also use lilypond himself.
Keywords: (none) => validated_updateCC: (none) => fri, sysadmin-bugs
Advisory from comment 6 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
CC: (none) => marja11Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0325.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED