Upstream information

CVE-2018-10992 at MITRE

Description

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 7.5
Vector AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 1093056 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 42.3
  • lilypond >= 2.18.2-7.3.1
  • lilypond-century-schoolbook-l-fonts >= 2.18.2-7.3.1
  • lilypond-debuginfo >= 2.18.2-7.3.1
  • lilypond-debugsource >= 2.18.2-7.3.1
  • lilypond-doc >= 2.18.2-7.3.1
  • lilypond-doc-cs >= 2.18.2-7.3.1
  • lilypond-doc-de >= 2.18.2-7.3.1
  • lilypond-doc-es >= 2.18.2-7.3.1
  • lilypond-doc-fr >= 2.18.2-7.3.1
  • lilypond-doc-hu >= 2.18.2-7.3.1
  • lilypond-doc-it >= 2.18.2-7.3.1
  • lilypond-doc-ja >= 2.18.2-7.3.1
  • lilypond-doc-nl >= 2.18.2-7.3.1
  • lilypond-doc-zh >= 2.18.2-7.3.1
  • lilypond-emmentaler-fonts >= 2.18.2-7.3.1
  • lilypond-fonts-common >= 2.18.2-7.3.1
Patchnames:
openSUSE-2018-487