Hi Don, On Thu, May 10, 2018 at 04:15:23PM -0700, Don Armstrong wrote: > Control: unarchive 884136 > Control: found 884136 2.18.2-12 > Control: found 884136 2.19.81-1~exp1 > Control: forcemerge 884136 898373 > Control: tag 884136 confirmed > > On Thu, 10 May 2018, Gabriel Corona wrote: > > lilypond-invoke-editor as shipped in Debian is still vulnerable to > > shell command injection in URIs (CVE-2017-17523). > > Thanks for the report; we're actually shipping the upstream code with > their fix to 2017-17523, but clearly that fix doesn't fix the whole > thing, because they're using system instead of system*. > > I'm testing a quick patch which should fix this issue, and I'll send it > upstream once I know it's working.
I will request a new CVE id for the "incomplete fix for CVE-2017-17523" (but no need to wait for that assignment for fixing the issue). Regards, Salvatore
