Bug 2187166 (CVE-2020-17354)

Summary: CVE-2020-17354 LilyPond: Lilypond allows attackers to bypass the -dsafe protection mechanism
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-17 11:05:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2187167    
Bug Blocks:    

Description Avinash Hanwate 2023-04-17 06:33:31 UTC 
LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.

https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/
https://phabricator.wikimedia.org/T259210
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory
https://gitlab.com/lilypond/lilypond/-/merge_requests/1522
http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage
https://lilypond.org/download.html
Comment 1 Avinash Hanwate 2023-04-17 06:33:51 UTC 
Created lilypond tracking bugs for this issue:

Affects: fedora-all [bug 2187167]
Comment 2 Product Security DevOps Team 2023-04-17 11:05:02 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.