ALT Linux repos
Group :: Publishing
RPM: lilypond
Navigation
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: lilypond-2.20.0-fix-CVE-2020-17353.patch
Download
Download
From b84ea4740f3279516905c5db05f4074e777c16ff Mon Sep 17 00:00:00 2001
From: Han-Wen Nienhuys <hanwenn@gmail.com>
Date: Tue, 21 Jul 2020 14:45:08 +0200
Subject: [PATCH 1/1] scm: disable embedded-ps and embedded-svg in -dsafe mode
This prevents executing privileged PostScript and exploiting
Ghostscript vulnerablilities
Tested:
$ lilypond -dsafe input/regression/les-nereides.ly
(works, kinda)
$ cat f.ly
{ c4_ \markup \postscript #" (x) show " }$ lilypond -dsafe f
Preprocessing graphical objects.../home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: In procedure ly_make_stencil in expression (ly:make-stencil (list # #) (quote #) ...):
/home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps "
---
scm/define-stencil-commands.scm | 65 ++++++++++++++++++++++-------------------
1 file changed, 35 insertions(+), 30 deletions(-)
diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm
index 09a2299..e388788 100644
--- a/scm/define-stencil-commands.scm
+++ b/scm/define-stencil-commands.scm
@@ -21,36 +21,41 @@
(define-public (ly:all-stencil-commands)
"Return the list of stencil commands that can be
defined in the output modules (@file{output-*.scm})."- '(blank
- char
- circle
- dashed-line
- draw-line
- ellipse
- embedded-ps
- embedded-svg
- end-group-node
- glyph-string
- grob-cause
- named-glyph
- no-origin
- page-link
- path
- partial-ellipse
- placebox
- polygon
- resetcolor
- resetrotation
- resetscale
- round-filled-box
- setcolor
- setrotation
- setscale
- start-group-node
- text
- unknown
- url-link
- utf-8-string
+ (let*
+ ((commands '(blank
+ char
+ circle
+ dashed-line
+ draw-line
+ ellipse
+ end-group-node
+ glyph-string
+ grob-cause
+ named-glyph
+ no-origin
+ page-link
+ path
+ partial-ellipse
+ placebox
+ polygon
+ resetcolor
+ resetrotation
+ resetscale
+ round-filled-box
+ setcolor
+ setrotation
+ setscale
+ start-group-node
+ text
+ unknown
+ url-link
+ utf-8-string
+ )))
+
+ (if (ly:get-option 'safe)
+ commands
+ (append '(embedded-ps embedded-svg)
+ commands))
))
;; TODO:
--
1.9.1