Upstream information

CVE-2020-17354 at MITRE

Description

LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
  National Vulnerability Database
Base Score 8.6
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Impact High
Integrity Impact High
Availability Impact High
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1210502 [IN_PROGRESS]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub 15 SP4
  • guile1 >= 2.2.6-bp154.3.3.1
  • guile1-modules-2_2 >= 2.2.6-bp154.3.3.1
  • libguile-2_2-1 >= 2.2.6-bp154.3.3.1
  • libguile1-devel >= 2.2.6-bp154.3.3.1
  • lilypond >= 2.24.1-bp154.2.3.2
  • lilypond-doc >= 2.24.1-bp154.2.3.2
  • lilypond-doc-cs >= 2.24.1-bp154.2.3.2
  • lilypond-doc-de >= 2.24.1-bp154.2.3.2
  • lilypond-doc-es >= 2.24.1-bp154.2.3.2
  • lilypond-doc-fr >= 2.24.1-bp154.2.3.2
  • lilypond-doc-hu >= 2.24.1-bp154.2.3.2
  • lilypond-doc-it >= 2.24.1-bp154.2.3.2
  • lilypond-doc-ja >= 2.24.1-bp154.2.3.2
  • lilypond-doc-nl >= 2.24.1-bp154.2.3.2
  • lilypond-doc-zh >= 2.24.1-bp154.2.3.2
  • lilypond-emmentaler-fonts >= 2.24.1-bp154.2.3.2
  • lilypond-fonts-common >= 2.24.1-bp154.2.3.2
Patchnames:
openSUSE-2023-137
openSUSE Leap 15.4
  • guile1 >= 2.2.6-bp154.3.3.1
  • guile1-modules-2_2 >= 2.2.6-bp154.3.3.1
  • libguile-2_2-1 >= 2.2.6-bp154.3.3.1
  • libguile1-devel >= 2.2.6-bp154.3.3.1
  • lilypond >= 2.24.1-bp154.2.3.2
  • lilypond-doc >= 2.24.1-bp154.2.3.2
  • lilypond-doc-cs >= 2.24.1-bp154.2.3.2
  • lilypond-doc-de >= 2.24.1-bp154.2.3.2
  • lilypond-doc-es >= 2.24.1-bp154.2.3.2
  • lilypond-doc-fr >= 2.24.1-bp154.2.3.2
  • lilypond-doc-hu >= 2.24.1-bp154.2.3.2
  • lilypond-doc-it >= 2.24.1-bp154.2.3.2
  • lilypond-doc-ja >= 2.24.1-bp154.2.3.2
  • lilypond-doc-nl >= 2.24.1-bp154.2.3.2
  • lilypond-doc-zh >= 2.24.1-bp154.2.3.2
  • lilypond-emmentaler-fonts >= 2.24.1-bp154.2.3.2
  • lilypond-fonts-common >= 2.24.1-bp154.2.3.2
Patchnames:
openSUSE-2023-137


SUSE Timeline for this CVE

CVE page created: Sun Apr 16 02:00:03 2023
CVE page last modified: Wed Jun 28 00:49:46 2023