Debian Security Advisory
DSA-4756-1 lilypond -- security update
- Date Reported:
- 29 Aug 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2020-17353.
- More information:
Faidon Liambotis discovered that Lilypond, a program for typesetting sheet music, did not restrict the inclusion of Postscript and SVG commands when operating in safe mode, which could result in the execution of arbitrary code when rendering a typesheet file with embedded Postscript code.
For the stable distribution (buster), this problem has been fixed in version 2.19.81+really-2.18.2-13+deb10u1.
We recommend that you upgrade your lilypond packages.
For the detailed security status of lilypond please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lilypond