CVE-2020-17353

scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.

Published: Aug 5, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-17353
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
lilypond / lilypond	2.21.0	2.21.4.x
lilypond / lilypond	-	2.20.0.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
debian / debian_linux	10.0	10.0.x
opensuse / leap	15.2	15.2.x
opensuse / backports_sle	15.0-sp2	15.0-sp2.x

http://git.savannah.gnu.org/gitweb/?p=lilypond.git;a=commit;h=b84ea4740f3279516905c5db05f4074e777c16ff
http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00064.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00076.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2JYMVLTPSNYS5F7TBHKIXUZZJIJAMRX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2JYMVLTPSNYS5F7TBHKIXUZZJIJAMRX/
https://www.debian.org/security/2020/dsa-4756

Vulnerability Database

300,926

CVE-2020-17353

Deep Security Visibility Without the Complexity