Bug 10910

Summary: [Update Request] lilypond 2.19.83
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Contributed PackagesAssignee: ROSA Linux Bugs <bugs>
Status: RESOLVED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, mc2374
Version: KDE4   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://advisories.mageia.org/MGASA-2020-0414.html
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier: CVE-2020-17353
RPM Package: lilypond-2.19.83-1.1.mga7 ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2020-11-15 04:26:37 MSK 
It was discovered that Lilypond, a program for typesetting sheet music, did
not restrict the inclusion of Postscript and SVG commands when operating in
safe mode, which could result in the execution of arbitrary code when rendering
a typesheet file with embedded Postscript code.
(CVE-2020-17353)
Comment 1 Giovanni Mariani 2020-11-25 13:09:41 MSK 
Updated to 2.19.84 (the last version that we can build successfully on 2016.1) and while at it switch lilypond to use guile 2.0 (to avoid clashes with other packages as gnucash that already use it).
On 2019.1 we can go for 2.20.0...