Descriptionlilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
|National Vulnerability Database|
- openSUSE-SU-2018:1360-1, published Mon, 21 May 2018 03:07:38 +0200 (CEST)
List of released packages
|Product(s)||Fixed package version(s)||References|
|openSUSE Leap 42.3|| ||Patchnames: