PT-2023-11479 · Lilypond+2 · Lilypond+2

Tstarling

Publicado

2023-04-15

Atualizado

2025-11-19

CVE-2020-17354

CVSS v3.1

8.6

Alta

Vetor

AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions LilyPond versions prior to 2.24

Description The issue allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. In versions 2.24 and later, safe mode is removed, and the product no longer tries to block code execution when external files are used.

Recommendations For versions prior to 2.24, update to version 2.24 or later, as safe mode is removed in these versions and the product no longer tries to block code execution when external files are used. As a temporary workaround, consider avoiding the use of output-def-lookup and output-def-scope until the issue is resolved.

Exploit

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863

Identificadores relacionados

ALT-PU-2023-6382

ALT-PU-2023-6513

ALT-PU-2025-14667

CVE-2020-17354

MGASA-2023-0325

OPENSUSE-SU-2023:0137-1

Produtos afetados

Alt Linux

Debian

Lilypond

PT-2023-11479 · Lilypond+2 · Lilypond+2

CVE-2020-17354

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 33