CVE-2020-17353 — Lilypond vulnerability

7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

1.3%

top 20.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lilypond Debian Linux Fedoraproject Fedora +2 more

Timeline

PublishedAug 5

Latest updateMay 24

Description

scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶Debianlilypond/lilypond< 2.20.0-2+3

▶NVDlilypond/lilypond2.21.0 — 2.21.4+1

▶NVDopensuse/leap15.2

▶NVDopensuse/backports_sle15.0

Also affects: Debian Linux 10.0, Fedora 31, 32

🔴Vulnerability Details

GHSA

GHSA-wg4f-3xq5-x79h: scm/define-stencil-commands↗2022-05-24

▶

CVEList

CVE-2020-17353: scm/define-stencil-commands↗2020-08-05

▶

OSV

CVE-2020-17353: scm/define-stencil-commands↗2020-08-05

▶

📋Vendor Advisories

Debian

CVE-2020-17353: lilypond - scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2...↗2020

▶

💬Community

Bugzilla

CVE-2020-17353 lilypond: lacks of restrictions on embedded-ps and embedded-svg when -dsafe is used [fedora-all]↗2020-08-05

▶

Bugzilla

CVE-2020-17353 lilypond: lacks of restrictions on embedded-ps and embedded-svg when -dsafe is used↗2020-08-05

▶