#VU79717 Security features bypass in LilyPond - CVE-2020-17354
Vulnerability identifier: #VU79717
Vulnerability risk: Medium
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-254
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
LilyPond
Universal components / Libraries /
Scripting languages
Vendor: LilyPond
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper access restrictions imposed by safe mode. An attacker can pass a specially crafted .ly file to the application that bypasses the -dsafe protection mechanism via output-def-lookup or output-def-scope.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
LilyPond: 0.0.39 - 2.23.6
External links
https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/
https://phabricator.wikimedia.org/T259210
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory
https://gitlab.com/lilypond/lilypond/-/merge_requests/1522
https://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
