CVE-2020-17354
Summary
| CVE | CVE-2020-17354 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-04-15 22:15:00 UTC |
| Updated | 2023-11-07 03:19:00 UTC |
| Description | LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used. |
Risk And Classification
Problem Types: CWE-863
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Debian Package Tracker | MISC | tracker.debian.org | |
| [SECURITY] Fedora 37 Update: lilypond-doc-2.24.1-1.fc37 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| LilyPond – Music notation for everyone: Download | MISC | lilypond.org | |
| Remove safe mode (!1522) · Merge requests · LilyPond / LilyPond · GitLab | CONFIRM | gitlab.com | |
| [SECURITY] Fedora 36 Update: lilypond-doc-2.24.1-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 37 Update: lilypond-doc-2.24.1-1.fc37 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Extension:Score/2021 security advisory - MediaWiki | MISC | www.mediawiki.org | |
| LilyPond Application Usage: 1.2 Command-line usage | MISC | lilypond.org | |
| [SECURITY] Fedora 36 Update: lilypond-doc-2.24.1-1.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Login | MISC | phabricator.wikimedia.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.