ALT-PU-2020-2877-1
Closed vulnerabilities
Published: 2020-08-29
BDU:2021-03182
Уязвимость программы для набора партитур Lilypond, связанная с отсутствием ограничения включения команд Postscript и SVG при работе в безопасном режиме, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.8)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2020-08-05
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-17353
scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff
- http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff
- openSUSE-SU-2020:1453
- openSUSE-SU-2020:1453
- openSUSE-SU-2020:1506
- openSUSE-SU-2020:1506
- FEDORA-2020-328534eeba
- FEDORA-2020-328534eeba
- FEDORA-2020-7cd08d85ce
- FEDORA-2020-7cd08d85ce
- DSA-4756
- DSA-4756