LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.
References
Link | Resource |
---|---|
http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage | Release Notes |
https://gitlab.com/lilypond/lilypond/-/merge_requests/1522 | Patch Vendor Advisory |
https://lilypond.org/download.html | Product |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/ | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/ | |
https://phabricator.wikimedia.org/T259210 | Exploit Third Party Advisory |
https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/ | Mailing List Release Notes Third Party Advisory |
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory | Third Party Advisory |
Configurations
History
07 Nov 2023, 03:19
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
26 Apr 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Apr 2023, 16:52
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-863 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.6 |
References | (MISC) https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/ - Mailing List, Release Notes, Third Party Advisory | |
References | (MISC) https://lilypond.org/download.html - Product | |
References | (MISC) http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage - Release Notes | |
References | (MISC) https://phabricator.wikimedia.org/T259210 - Exploit, Third Party Advisory | |
References | (CONFIRM) https://gitlab.com/lilypond/lilypond/-/merge_requests/1522 - Patch, Vendor Advisory | |
References | (MISC) https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory - Third Party Advisory | |
CPE | cpe:2.3:a:lilypond:lilypond:*:*:*:*:*:*:*:* | |
First Time |
Lilypond lilypond
Lilypond |
15 Apr 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-04-15 22:15
Updated : 2023-12-10 15:01
NVD link : CVE-2020-17354
Mitre link : CVE-2020-17354
CVE.ORG link : CVE-2020-17354
JSON object : View
Products Affected
lilypond
- lilypond
CWE
CWE-863
Incorrect Authorization