CVE-2020-17354 Common Vulnerabilities and Exposures

Upstream information

CVE-2020-17354 at MITRE

Description

LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
	National Vulnerability Database
Base Score	8.6
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector	Local
Attack Complexity	Low
Privileges Required	None
User Interaction	Required
Scope	Changed
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1210502 [RESOLVED / FIXED]

SUSE Security Advisories:

openSUSE-SU-2023:0137-1, published Tue Jun 27 22:41:11 2023

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 15 SP4	`guile1 >= 2.2.6-bp154.3.3.1` `guile1-modules-2_2 >= 2.2.6-bp154.3.3.1` `libguile-2_2-1 >= 2.2.6-bp154.3.3.1` `libguile1-devel >= 2.2.6-bp154.3.3.1` `lilypond >= 2.24.1-bp154.2.3.2` `lilypond-doc >= 2.24.1-bp154.2.3.2` `lilypond-doc-cs >= 2.24.1-bp154.2.3.2` `lilypond-doc-de >= 2.24.1-bp154.2.3.2` `lilypond-doc-es >= 2.24.1-bp154.2.3.2` `lilypond-doc-fr >= 2.24.1-bp154.2.3.2` `lilypond-doc-hu >= 2.24.1-bp154.2.3.2` `lilypond-doc-it >= 2.24.1-bp154.2.3.2` `lilypond-doc-ja >= 2.24.1-bp154.2.3.2` `lilypond-doc-nl >= 2.24.1-bp154.2.3.2` `lilypond-doc-zh >= 2.24.1-bp154.2.3.2` `lilypond-emmentaler-fonts >= 2.24.1-bp154.2.3.2` `lilypond-fonts-common >= 2.24.1-bp154.2.3.2`	Patchnames: openSUSE-2023-137
openSUSE Leap 15.4	`guile1 >= 2.2.6-bp154.3.3.1` `guile1-modules-2_2 >= 2.2.6-bp154.3.3.1` `libguile-2_2-1 >= 2.2.6-bp154.3.3.1` `libguile1-devel >= 2.2.6-bp154.3.3.1` `lilypond >= 2.24.1-bp154.2.3.2` `lilypond-doc >= 2.24.1-bp154.2.3.2` `lilypond-doc-cs >= 2.24.1-bp154.2.3.2` `lilypond-doc-de >= 2.24.1-bp154.2.3.2` `lilypond-doc-es >= 2.24.1-bp154.2.3.2` `lilypond-doc-fr >= 2.24.1-bp154.2.3.2` `lilypond-doc-hu >= 2.24.1-bp154.2.3.2` `lilypond-doc-it >= 2.24.1-bp154.2.3.2` `lilypond-doc-ja >= 2.24.1-bp154.2.3.2` `lilypond-doc-nl >= 2.24.1-bp154.2.3.2` `lilypond-doc-zh >= 2.24.1-bp154.2.3.2` `lilypond-emmentaler-fonts >= 2.24.1-bp154.2.3.2` `lilypond-fonts-common >= 2.24.1-bp154.2.3.2`	Patchnames: openSUSE-2023-137

SUSE Timeline for this CVE

CVE page created: Sun Apr 16 02:00:03 2023
CVE page last modified: Sun Jun 30 16:32:04 2024