MGASA-2020-0414 - Updated lilypond package fixes a security vulnerability

Publication date: 13 Nov 2020
URL: https://advisories.mageia.org/MGASA-2020-0414.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-17353

It was discovered that Lilypond, a program for typesetting sheet music, did
not restrict the inclusion of Postscript and SVG commands when operating in
safe mode, which could result in the execution of arbitrary code when rendering
a typesheet file with embedded Postscript code.
(CVE-2020-17353)

References:
- https://bugs.mageia.org/show_bug.cgi?id=27174
- https://www.debian.org/security/2020/dsa-4756
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17353

SRPMS:
- 7/core/lilypond-2.19.83-1.1.mga7