FS#67680 - [lilypond] [security] CVE-2020-17353
Attached to Project:
Community Packages
Opened by loqs (loqs) - Saturday, 22 August 2020, 22:02 GMT
Last edited by David Runge (dvzrv) - Tuesday, 27 October 2020, 00:32 GMT
Opened by loqs (loqs) - Saturday, 22 August 2020, 22:02 GMT
Last edited by David Runge (dvzrv) - Tuesday, 27 October 2020, 00:32 GMT
|
Details
Description:
scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code. Additional info: * lilypond 2.20.0-3 * http://git.savannah.gnu.org/gitweb/?p=lilypond.git;a=commit;h=b84ea4740f3279516905c5db05f4074e777c16ff |
This task depends upon
Closed by David Runge (dvzrv)
Tuesday, 27 October 2020, 00:32 GMT
Reason for closing: Fixed
Additional comments about closing: Upstream patch applied in 2.20.0-4.
Tuesday, 27 October 2020, 00:32 GMT
Reason for closing: Fixed
Additional comments about closing: Upstream patch applied in 2.20.0-4.
Comment by David Runge (dvzrv) -
Tuesday, 27 October 2020, 00:13 GMT
@loqs: Thanks for the report. I'll add this in an upcoming pkgrel.