Package: lilypond Version: 2.18.2-12 Severity: grave Tags: security Justification: user security hole
Hi, lilypond-invoke-editor as shipped in Debian is still vulnerable to shell command injection in URIs (CVE-2017-17523). This is easily demonstrated by running this shell command using an updated lilypond package which still spawns an xterm process: BROWSER="firefox" lilypond-invoke-editor "http://www.example.com/&xterm"; The vulnerable code snippet is still present: (define (run-browser uri) (system (if (getenv "BROWSER") (format #f "~a ~a" (getenv "BROWSER") uri) (format #f "firefox -remote 'OpenURL(~a,new-tab)'" uri)))) Upstream bug [1] is marked as fixed but it's actually not. It has ben reported as Debian Bug 884136 which is marked as closed and archived. [1] https://sourceforge.net/p/testlilyissues/issues/5243/ -- Gabriel -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lilypond depends on: ii ghostscript 9.22~dfsg-2.1 ii libc6 2.27-3 ii libfontconfig1 2.13.0-4 ii libfreetype6 2.8.1-2 ii libgcc1 1:8-20180425-1 ii libglib2.0-0 2.56.1-2 ii libgmp10 2:6.1.2+dfsg-3 ii libltdl7 2.4.6-2.1 ii libpango-1.0-0 1.42.0-1 ii libpangoft2-1.0-0 1.42.0-1 ii libstdc++6 8-20180425-1 ii lilypond-data 2.18.2-12 ii python 2.7.15~rc1-1 Versions of packages lilypond recommends: ii texlive-latex-base 2018.20180416-1 Versions of packages lilypond suggests: pn lilypond-doc <none> -- no debconf information
