Control: unarchive 884136 Control: found 884136 2.18.2-12 Control: found 884136 2.19.81-1~exp1 Control: forcemerge 884136 898373 Control: tag 884136 confirmed
On Thu, 10 May 2018, Gabriel Corona wrote: > lilypond-invoke-editor as shipped in Debian is still vulnerable to > shell command injection in URIs (CVE-2017-17523). Thanks for the report; we're actually shipping the upstream code with their fix to 2017-17523, but clearly that fix doesn't fix the whole thing, because they're using system instead of system*. I'm testing a quick patch which should fix this issue, and I'll send it upstream once I know it's working. -- Don Armstrong https://www.donarmstrong.com 6: If we are one, then we can defeat 2. -- "The Prisoner (2009 Miniseries)" _Schizoid_
