Headline
CVE-2020-17354: Debian Package Tracker
LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Format: 1.8 Date: Sat, 21 Aug 2021 06:22:22 -0600 Source: lilypond Architecture: source Version: 2.22.1-1 Distribution: unstable Urgency: medium Maintainer: Anthony Fok [email protected] Changed-By: Anthony Fok [email protected] Changes: lilypond (2.22.1-1) unstable; urgency=medium . * New upstream version 2.22.1 * Bump Standards-Version to 4.6.0 (no change) * Mark lilypond-{doc-pdf,fonts} “Multi-Arch: foreign” * Drop previously backported upstream patches * Mark Lilypond as insecure for externally fetched data files in the new README.Debian.security file kindly provided by fellow Debian Developer and security expert Moritz Mühlenhoff Checksums-Sha1: 7f5f22c1bd9b04f7a3e14ba92f1ffb7fdde0a575 4500 lilypond_2.22.1-1.dsc 13b37383e69d96123630fc7519af4cd8b0feadb0 2510038 lilypond_2.22.1.orig-guile18.tar.gz a79c28f1f9956c756df357ef4ab7051131881cf2 18033161 lilypond_2.22.1.orig.tar.gz 6702433bc81923f4100613905bc07a85d8f17d88 80540 lilypond_2.22.1-1.debian.tar.xz 7a14c6250e647a2b5267b50e7682515d4ff234ee 22633 lilypond_2.22.1-1_amd64.buildinfo Checksums-Sha256: 4a1be7cbda2b1190456f0eb1eff3f17d536a4eb6e855dc02031a8627ed8fa4f8 4500 lilypond_2.22.1-1.dsc 55ff45dd426c58ef7a5530b4e701c2a6a1e54043c2b69c64206fc105ddd247db 2510038 lilypond_2.22.1.orig-guile18.tar.gz 72ac2d54c310c3141c0b782d4e0bef9002d5519cf46632759b1f03ef6969cc30 18033161 lilypond_2.22.1.orig.tar.gz 681159939704995506ad31d0898536364faa767c815558809d7e37e94cabf003 80540 lilypond_2.22.1-1.debian.tar.xz b9d7b226188769c0c5acaed1358e58c80eb3a9e52f539d99077f07ee08b72bd7 22633 lilypond_2.22.1-1_amd64.buildinfo Files: 6e1c5a49d2f78da2a212a3e9b6aa4770 4500 tex optional lilypond_2.22.1-1.dsc 2863f46023dd38e33ac37978302c078f 2510038 tex optional lilypond_2.22.1.orig-guile18.tar.gz 07321f2d9dc45d2f14d5057609184aae 18033161 tex optional lilypond_2.22.1.orig.tar.gz c4bf1e7f7d7678babd654e5ab7ce38fe 80540 tex optional lilypond_2.22.1-1.debian.tar.xz 4816ce4ba492da1a0b5fccead28a793f 22633 tex optional lilypond_2.22.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEFCQhsZrUqVmW+VBy6iUAtBLFms8FAmEhOnIQHGZva2FAZGVi aWFuLm9yZwAKCRDqJQC0EsWaz6b4EACs5L0e594aTv0H0g+tlnVdxJf0H6UUN58L 08zQK4w/ySdvFsPxi7yulTosxVASZNhMM6KwDN24j/gqF+627g1QFLVTE852Zs8W G9dxKXaAU+yppj5+vTFmJbT/+zFM3+LpCf5gsKj3q6uOK+8WBeX4hEKfIlnr5oJc VmmPNOnbmSFzJ+N5RgcqSyydeZVfl5fG3z9r42MTWjDp6XkILmXSJM5gp9Dw0Ri1 3oWHFH5CWjJRLKk2o2HMBN2C08wSsJ1fEBYPXbjEurMAcZTaF2Zrqo7A/wO8Op2+ 6od4R/2yaZkiwsDABH1jXSCD1pPLO2ts003TKlXMNReSD7NfqtMsj47XddERgznf 2Nzohvcgdcjhah9WeneGEbqn72oZxkvyWT7OIjBpwxMxXKSJWLgFWXwNredyKtNS gpaUqW69W49awRSraKY3vXvSSaBgXam4+/xwTp+VevmRJEtNJffBsTJdJVx0nF+Q j+suEpPzAmdG7v6KqdEkoNMRnCNQQCnZ/e4Ar82iDbiCztMfOaohl8CGQVXC3Pxb kxLfYKwv0HtHoBrQA5hHVB0y03YhzMzepTDi9vSs+i9uaBTE7SlD/Sw/BPt+CTpU iwqEEcZ79n/3pcefRZaBHx9XAnx/Mfg5+4FxyDZ0cxRtWvY3znLlHU7KfcCkkY0r 2emmKId2LA== =h3FA -----END PGP SIGNATURE-----