Advisories » MGASA-2020-0414

Updated lilypond package fixes a security vulnerability

Publication date: 13 Nov 2020
Modification date: 13 Nov 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-17353

Description

It was discovered that Lilypond, a program for typesetting sheet music, did
not restrict the inclusion of Postscript and SVG commands when operating in
safe mode, which could result in the execution of arbitrary code when rendering
a typesheet file with embedded Postscript code.
(CVE-2020-17353)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=27174
• https://www.debian.org/security/2020/dsa-4756
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17353

SRPMS

7/core

• lilypond-2.19.83-1.1.mga7