Debian Bug report logs -
#898373
lilypond: CVE-2018-10992
Reported by: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
Date: Thu, 10 May 2018 21:51:01 UTC
Severity: important
Tags: confirmed, security, upstream
Found in versions lilypond/2.19.81-1~exp1, lilypond/2.18.2-12
Fixed in versions lilypond/2.19.81-1~exp2, lilypond/2.18.2-13
Done: Don Armstrong <don@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Don Armstrong <don@debian.org>:
Bug#898373; Package lilypond.
(Thu, 10 May 2018 21:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Gabriel Corona <gabriel.corona@enst-bretagne.fr>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Don Armstrong <don@debian.org>.
(Thu, 10 May 2018 21:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: lilypond
Version: 2.18.2-12
Severity: grave
Tags: security
Justification: user security hole
Hi,
lilypond-invoke-editor as shipped in Debian is still vulnerable to
shell command injection in URIs (CVE-2017-17523).
This is easily demonstrated by running this shell command using an
updated lilypond package which still spawns an xterm process:
BROWSER="firefox" lilypond-invoke-editor "http://www.example.com/&xterm"
The vulnerable code snippet is still present:
(define (run-browser uri)
(system
(if (getenv "BROWSER")
(format #f "~a ~a" (getenv "BROWSER") uri)
(format #f "firefox -remote 'OpenURL(~a,new-tab)'" uri))))
Upstream bug [1] is marked as fixed but it's actually not. It has ben
reported as Debian Bug 884136 which is marked as closed and archived.
[1] https://sourceforge.net/p/testlilyissues/issues/5243/
--
Gabriel
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lilypond depends on:
ii ghostscript 9.22~dfsg-2.1
ii libc6 2.27-3
ii libfontconfig1 2.13.0-4
ii libfreetype6 2.8.1-2
ii libgcc1 1:8-20180425-1
ii libglib2.0-0 2.56.1-2
ii libgmp10 2:6.1.2+dfsg-3
ii libltdl7 2.4.6-2.1
ii libpango-1.0-0 1.42.0-1
ii libpangoft2-1.0-0 1.42.0-1
ii libstdc++6 8-20180425-1
ii lilypond-data 2.18.2-12
ii python 2.7.15~rc1-1
Versions of packages lilypond recommends:
ii texlive-latex-base 2018.20180416-1
Versions of packages lilypond suggests:
pn lilypond-doc <none>
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Don Armstrong <don@debian.org>:
Bug#898373; Package lilypond.
(Thu, 10 May 2018 23:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Don Armstrong <don@donarmstrong.com>:
Extra info received and forwarded to list. Copy sent to Don Armstrong <don@debian.org>.
(Thu, 10 May 2018 23:18:03 GMT) (full text, mbox, link).
Message #10 received at 898373@bugs.debian.org (full text, mbox, reply):
Control: unarchive 884136
Control: found 884136 2.18.2-12
Control: found 884136 2.19.81-1~exp1
Control: forcemerge 884136 898373
Control: tag 884136 confirmed
On Thu, 10 May 2018, Gabriel Corona wrote:
> lilypond-invoke-editor as shipped in Debian is still vulnerable to
> shell command injection in URIs (CVE-2017-17523).
Thanks for the report; we're actually shipping the upstream code with
their fix to 2017-17523, but clearly that fix doesn't fix the whole
thing, because they're using system instead of system*.
I'm testing a quick patch which should fix this issue, and I'll send it
upstream once I know it's working.
--
Don Armstrong https://www.donarmstrong.com
6: If we are one, then we can defeat 2.
-- "The Prisoner (2009 Miniseries)" _Schizoid_
Bug reassigned from package 'lilypond' to 'src:lilypond'.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 23:39:05 GMT) (full text, mbox, link).
No longer marked as found in versions lilypond/2.18.2-12.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 23:39:05 GMT) (full text, mbox, link).
Severity set to 'important' from 'grave'
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 23:39:06 GMT) (full text, mbox, link).
Marked as found in versions lilypond/2.19.81-1~exp1, lilypond/2.18.2-4, and lilypond/2.18.2-12.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 23:39:06 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 23:39:07 GMT) (full text, mbox, link).
Merged 884136 898373
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 23:39:08 GMT) (full text, mbox, link).
Added tag(s) confirmed.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Thu, 10 May 2018 23:39:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Don Armstrong <don@debian.org>:
Bug#898373; Package src:lilypond.
(Fri, 11 May 2018 04:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Don Armstrong <don@debian.org>.
(Fri, 11 May 2018 04:33:02 GMT) (full text, mbox, link).
Message #29 received at 898373@bugs.debian.org (full text, mbox, reply):
Hi Don,
On Thu, May 10, 2018 at 04:15:23PM -0700, Don Armstrong wrote:
> Control: unarchive 884136
> Control: found 884136 2.18.2-12
> Control: found 884136 2.19.81-1~exp1
> Control: forcemerge 884136 898373
> Control: tag 884136 confirmed
>
> On Thu, 10 May 2018, Gabriel Corona wrote:
> > lilypond-invoke-editor as shipped in Debian is still vulnerable to
> > shell command injection in URIs (CVE-2017-17523).
>
> Thanks for the report; we're actually shipping the upstream code with
> their fix to 2017-17523, but clearly that fix doesn't fix the whole
> thing, because they're using system instead of system*.
>
> I'm testing a quick patch which should fix this issue, and I'll send it
> upstream once I know it's working.
I will request a new CVE id for the "incomplete fix for
CVE-2017-17523" (but no need to wait for that assignment for fixing
the issue).
Regards,
Salvatore
Message #30 received at 884136-close@bugs.debian.org (full text, mbox, reply):
Source: lilypond
Source-Version: 2.18.2-13
We believe that the bug you reported is fixed in the latest version of
lilypond, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884136@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Don Armstrong <don@debian.org> (supplier of updated lilypond package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 May 2018 17:24:03 -0700
Source: lilypond
Binary: lilypond lilypond-data lilypond-doc lilypond-doc-pdf lilypond-doc-html lilypond-doc-html-cs lilypond-doc-html-de lilypond-doc-html-es lilypond-doc-html-fr lilypond-doc-html-hu lilypond-doc-html-it lilypond-doc-html-ja lilypond-doc-html-nl lilypond-doc-html-zh lilypond-doc-pdf-de lilypond-doc-pdf-es lilypond-doc-pdf-fr lilypond-doc-pdf-hu lilypond-doc-pdf-it lilypond-doc-pdf-nl
Architecture: source all amd64
Version: 2.18.2-13
Distribution: unstable
Urgency: medium
Maintainer: Don Armstrong <don@debian.org>
Changed-By: Don Armstrong <don@debian.org>
Description:
lilypond - program for typesetting sheet music
lilypond-data - LilyPond music typesetter (data files)
lilypond-doc - LilyPond Documentation in info format (and metapackage)
lilypond-doc-html - LilyPond HTML Documentation
lilypond-doc-html-cs - LilyPond HTML Documentation in Czech
lilypond-doc-html-de - LilyPond HTML Documentation in German
lilypond-doc-html-es - LilyPond HTML Documentation in Spanish
lilypond-doc-html-fr - LilyPond HTML Documentation in French
lilypond-doc-html-hu - LilyPond HTML Documentation in Hungarian
lilypond-doc-html-it - LilyPond HTML Documentation in Italian
lilypond-doc-html-ja - LilyPond HTML Documentation in Japanese
lilypond-doc-html-nl - LilyPond HTML Documentation in Dutch
lilypond-doc-html-zh - LilyPond HTML Documentation in Chinese
lilypond-doc-pdf - LilyPond PDF Documentation
lilypond-doc-pdf-de - LilyPond PDF Documentation in German
lilypond-doc-pdf-es - LilyPond PDF Documentation in Spanish
lilypond-doc-pdf-fr - LilyPond PDF Documentation in French
lilypond-doc-pdf-hu - LilyPond PDF Documentation in Hungarian
lilypond-doc-pdf-it - LilyPond PDF Documentation in Italian
lilypond-doc-pdf-nl - LilyPond PDF Documentation in Dutch
Closes: 884136
Changes:
lilypond (2.18.2-13) unstable; urgency=medium
.
* Switch lilypond-invoke-editor to use system* instead of system to fix
CVE-2017-17523 for non textedit:// URIs. (Closes: #884136)
Checksums-Sha1:
e2dbdb0d7466b7c329075c47f0a50ad832719126 4101 lilypond_2.18.2-13.dsc
5af8bc66624c76b6ad6a823dfa44f4ca3ddb336f 58568 lilypond_2.18.2-13.debian.tar.xz
3c17dc901e4a61d50d1fd0494fac5e0eeac248a1 1816008 lilypond-data_2.18.2-13_all.deb
b2d5e3924e81597fa97ab7cb3c327f14030feb22 23001108 lilypond-dbgsym_2.18.2-13_amd64.deb
c6d38f1c7d38418a4e269b9f00febe8c778ab1af 1275300 lilypond-doc-html-cs_2.18.2-13_all.deb
6c674f7e488036b4054b22a1c0c6bb82fd922de4 1536380 lilypond-doc-html-de_2.18.2-13_all.deb
c040fc83580c4e53d56db8874d2d089b4afebc18 1601204 lilypond-doc-html-es_2.18.2-13_all.deb
2c1b5f9e2065a761402e6b79c62e07dea0b3a845 1609212 lilypond-doc-html-fr_2.18.2-13_all.deb
81b1aebbe5dd3c898494e1a081f9b23619e5aa0f 1244044 lilypond-doc-html-hu_2.18.2-13_all.deb
06d4e2987e71846393111a26badb7721797f3c0c 1434988 lilypond-doc-html-it_2.18.2-13_all.deb
51ee24e9ecfb83bd0c7f92c3d2a730deae765d78 1528004 lilypond-doc-html-ja_2.18.2-13_all.deb
e05db39558dab8e9d0c081a4cc36d33ad0d3578b 1256284 lilypond-doc-html-nl_2.18.2-13_all.deb
05bbbfffd31cc047fa92b61fb35fb7399d42d7c1 1232996 lilypond-doc-html-zh_2.18.2-13_all.deb
f00b0a9af662cbb662ee14481fe2c85523647377 8350544 lilypond-doc-html_2.18.2-13_all.deb
5809d44c6d78579097677d05388369b8f14d2f6e 17407572 lilypond-doc-pdf-de_2.18.2-13_all.deb
09d5e1afec1cd40bbcf8426af01840a822c45592 18224416 lilypond-doc-pdf-es_2.18.2-13_all.deb
b4d707ed2a1d193eadc1af3a7b1bff0a4df7f302 17864132 lilypond-doc-pdf-fr_2.18.2-13_all.deb
72ab44f56ec8e277cfc9ac80368738b2abb2936c 1609268 lilypond-doc-pdf-hu_2.18.2-13_all.deb
8221ec49b32d3e787363d659578c611d2f4574c4 16272224 lilypond-doc-pdf-it_2.18.2-13_all.deb
5bc13da5a1fa009b8985b54a7e17f8876fc80da9 2560368 lilypond-doc-pdf-nl_2.18.2-13_all.deb
6e1943a3c41bb90da4a83c58beee12fd8ec3c51e 30290588 lilypond-doc-pdf_2.18.2-13_all.deb
4e7610feb4476f12d56ae0f4a4cc64eed62866b5 15208340 lilypond-doc_2.18.2-13_all.deb
9bbb53d3b120bdd8b201c9e0265354172b65b813 19843 lilypond_2.18.2-13_amd64.buildinfo
54ce7fca65f52d50173b58048d94afc6f8232b4b 1893308 lilypond_2.18.2-13_amd64.deb
Checksums-Sha256:
adc31dfdba6acc19344863ea586cdd19cbdf08de6a18a89c48a3107c764f1dd2 4101 lilypond_2.18.2-13.dsc
dd706e795cdc89fad1e7edb434d374ff270ddae336563d7e07b9bbdcac60a997 58568 lilypond_2.18.2-13.debian.tar.xz
751b5a160e9140948ac7d90f61072881a58cfde9800e01b18c693ca4a61e6c06 1816008 lilypond-data_2.18.2-13_all.deb
38b2bef24275e8af8087347bea6bee7c5afa9eac38193c9e79dda9ae4e7f8660 23001108 lilypond-dbgsym_2.18.2-13_amd64.deb
2dc1ac40f0d841248dab643357a596ec5cf73da6f93ae7055e29de78a456b05b 1275300 lilypond-doc-html-cs_2.18.2-13_all.deb
829a53fc1f3741561b4ce46576504d29a953e631ab3a40645ae22b179ff79d61 1536380 lilypond-doc-html-de_2.18.2-13_all.deb
cf215ed17a614a86d55e516368920f014aa75c11be7ff6f3e69ca0e3a57ddaf4 1601204 lilypond-doc-html-es_2.18.2-13_all.deb
935979e073a518608b408764f36780d429d7a539536c0df09740a5c5dcd757da 1609212 lilypond-doc-html-fr_2.18.2-13_all.deb
f247af80b48637b115be0bfdd3241d1e87dbb94688490df7ef19fe204ab19f49 1244044 lilypond-doc-html-hu_2.18.2-13_all.deb
e1607c1e436eb6c3207ea1baba909283ccc079437747370eec3ab509a2f71b18 1434988 lilypond-doc-html-it_2.18.2-13_all.deb
ea6dd2957cfb4bbc3cf45e91cf95c913e9e15631c11be667a87002937cf4f3da 1528004 lilypond-doc-html-ja_2.18.2-13_all.deb
0a3b329adf3d356077dc54d20d94c8ffe39935ac16eb49c030670d60eeb62e1e 1256284 lilypond-doc-html-nl_2.18.2-13_all.deb
2d633f33265700c5894fe63a88dfc395f0a55518024eb9c7ad80b91f26f3b58f 1232996 lilypond-doc-html-zh_2.18.2-13_all.deb
b94d160a9768e7f50fdc78b0de1445d3a4320665b6841e3605781d8444a31b8d 8350544 lilypond-doc-html_2.18.2-13_all.deb
95238c71d266761d22e8e72b958483702d63364f4289ebfdd795fe5ece4afc10 17407572 lilypond-doc-pdf-de_2.18.2-13_all.deb
3d6b29baeaf3141d6102c0584f63cfecaa36575ea7a86b92b29ac375c1972a4b 18224416 lilypond-doc-pdf-es_2.18.2-13_all.deb
479ce237b04fcde52d569b813ab918fb495b868463a5b4e0fc1c11b370db2e9c 17864132 lilypond-doc-pdf-fr_2.18.2-13_all.deb
a49b375d5588f361315d107278c27acbdc61c1e18f1a06129c009616e8e3ccec 1609268 lilypond-doc-pdf-hu_2.18.2-13_all.deb
90a1ef296665bcbcfcac9b9e12c704541c961812d09765a0b9010e439ee39a2b 16272224 lilypond-doc-pdf-it_2.18.2-13_all.deb
a21718f331436657802161a50b511de60a8a8624c1d65f4579d6b04ffcf96250 2560368 lilypond-doc-pdf-nl_2.18.2-13_all.deb
700106b4d30451457cadbc10a4026a0a66c627381c7139b8bcd0b420cf0d3a92 30290588 lilypond-doc-pdf_2.18.2-13_all.deb
3536920cae67c52712b0bb5cdaf14e30cb6424f5e916f728404ce6de89484508 15208340 lilypond-doc_2.18.2-13_all.deb
5bb455925e3f216694824f0346be553796bc645610fe54d341df865e609b7be8 19843 lilypond_2.18.2-13_amd64.buildinfo
b17fa777f8b3aedfb60f7b8b5c8a24cc0037735636d0997ff422c7df86012edd 1893308 lilypond_2.18.2-13_amd64.deb
Files:
2aeb0b28ab63993044dd5ab489e36fa7 4101 tex optional lilypond_2.18.2-13.dsc
311cef89fb69f7d442c8bea475085aff 58568 tex optional lilypond_2.18.2-13.debian.tar.xz
143212a0d6b4b15324f9f1a665b7cf31 1816008 tex optional lilypond-data_2.18.2-13_all.deb
d40b42def212f5d7666a053408c7cf89 23001108 debug optional lilypond-dbgsym_2.18.2-13_amd64.deb
20d51362d62a9df160b24f9b439a19b7 1275300 doc optional lilypond-doc-html-cs_2.18.2-13_all.deb
2cc00fac6ea92cdb9523acdcaf3e3cf1 1536380 doc optional lilypond-doc-html-de_2.18.2-13_all.deb
55569ae7310c69b3149856b855dee051 1601204 doc optional lilypond-doc-html-es_2.18.2-13_all.deb
6e4a7e7d5e6d930423aba719fb9faf2f 1609212 doc optional lilypond-doc-html-fr_2.18.2-13_all.deb
3bbffab4d5856d559ae6ab8691696022 1244044 doc optional lilypond-doc-html-hu_2.18.2-13_all.deb
b3b90a6522742f407e462ac7a51e4d98 1434988 doc optional lilypond-doc-html-it_2.18.2-13_all.deb
abe271fda3ec8145932e52496d3da56b 1528004 doc optional lilypond-doc-html-ja_2.18.2-13_all.deb
08406c7cb9ca99860d4435bded327781 1256284 doc optional lilypond-doc-html-nl_2.18.2-13_all.deb
1a5e2be9fb747881daf13cba18cb7fa1 1232996 doc optional lilypond-doc-html-zh_2.18.2-13_all.deb
08e7f878beb9ae447955778226c20613 8350544 doc optional lilypond-doc-html_2.18.2-13_all.deb
6d91aa5132600f6bf627ee6427bf029d 17407572 doc optional lilypond-doc-pdf-de_2.18.2-13_all.deb
45544780d70b99e300997f0686f16247 18224416 doc optional lilypond-doc-pdf-es_2.18.2-13_all.deb
588e6eb45e470734a379454ecd2e7ede 17864132 doc optional lilypond-doc-pdf-fr_2.18.2-13_all.deb
867562f76cce0202c6610d083b5717f6 1609268 doc optional lilypond-doc-pdf-hu_2.18.2-13_all.deb
dbd40d3577007d5a091ec29bcd2c2f15 16272224 doc optional lilypond-doc-pdf-it_2.18.2-13_all.deb
f0bcd2136f915f5cd0fa78209fbfe1d0 2560368 doc optional lilypond-doc-pdf-nl_2.18.2-13_all.deb
4dc3812797a1e170e10e5e9380236008 30290588 doc optional lilypond-doc-pdf_2.18.2-13_all.deb
e820b33a66fdedf35b0e32301be23dc0 15208340 doc optional lilypond-doc_2.18.2-13_all.deb
16178f19f7c14ea765b282de28745daf 19843 tex optional lilypond_2.18.2-13_amd64.buildinfo
588cf1f239e62aa0a0e3890869bbc7b3 1893308 tex optional lilypond_2.18.2-13_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN5QgYeBoIEyihVyW9VAlZYpmvz8FAlr1wVMACgkQ9VAlZYpm
vz8Qkw/8CQGdNbJD0eoouBGpHDH/YfNly8iXclfjqDsGSsIAkdg6DetneX/zDrly
fcApsy4tAaKiwXcaG/HLizHgPnxKeYnhhBu1OC/wQ37YQjnQyLTO7XyDHmJo08z3
23kZPM50nQ8OuMQUbtq3U/rABtr0q6XXjLzbp1NmtnQ6MOLAjVoJeMZEb6jtE61O
6fIEsBKrGAFCQrxdFCD1vByv9+w0iqXKTnuuDMkcH9sBXb+M9P+QgyxXUITnqzfo
kPwj+3B/nQ5lvMJdWkYDdIIi9yZU+xti4xnfJAeJ/fjV9Be8ZCgkQhP3fh5l/Au7
5rjZZoTSOslN0+ZgAxkNM7x6EKDLUGRx6fD6BftNDiKecKDX4tz4/wkQNbqNw8ni
MXEL8+eJbY3lz/grUWeWKSjGaqur63AFhd7GEeimcwMihzP7dUdSxuwEd6A2LPyQ
RUlCKbiY3cm4eD8O7+jn2K8c+G8W85LZB/XA6Pt0WEI1UKLkkc6FB6wmfZPvMQcb
oTQlDyTk/xs0XElO4GlxqAMlVlxw5UJDAL91b6Nb0fINFFK+oP29Q/ABBAbewWRG
m09/KtUl7NL+AxrKJkGR+Q9beNnQd9zLkVlDMtEWIsECIZ3TSCqkSLeaybnpscSd
0IyU5V9cEw3o1MgG6GENE7L1lpXQOozVTZ+zPZYVhxJtI5D/TlE=
=TNlx
-----END PGP SIGNATURE-----
Message #31 received at 884136-close@bugs.debian.org (full text, mbox, reply):
Source: lilypond
Source-Version: 2.19.81-1~exp2
We believe that the bug you reported is fixed in the latest version of
lilypond, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884136@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Don Armstrong <don@debian.org> (supplier of updated lilypond package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 May 2018 17:24:03 -0700
Source: lilypond
Binary: lilypond lilypond-data lilypond-doc lilypond-doc-pdf lilypond-doc-html lilypond-doc-html-ca lilypond-doc-html-cs lilypond-doc-html-de lilypond-doc-html-es lilypond-doc-html-fr lilypond-doc-html-hu lilypond-doc-html-it lilypond-doc-html-ja lilypond-doc-html-nl lilypond-doc-html-zh lilypond-doc-pdf-ca lilypond-doc-pdf-de lilypond-doc-pdf-es lilypond-doc-pdf-fr lilypond-doc-pdf-hu lilypond-doc-pdf-it lilypond-doc-pdf-nl
Architecture: source all amd64
Version: 2.19.81-1~exp2
Distribution: unstable
Urgency: medium
Maintainer: Don Armstrong <don@debian.org>
Changed-By: Don Armstrong <don@debian.org>
Description:
lilypond - program for typesetting sheet music
lilypond-data - LilyPond music typesetter (data files)
lilypond-doc - LilyPond Documentation in info format (and metapackage)
lilypond-doc-html - LilyPond HTML Documentation
lilypond-doc-html-ca - LilyPond HTML Documentation in Catalan
lilypond-doc-html-cs - LilyPond HTML Documentation in Czech
lilypond-doc-html-de - LilyPond HTML Documentation in German
lilypond-doc-html-es - LilyPond HTML Documentation in Spanish
lilypond-doc-html-fr - LilyPond HTML Documentation in French
lilypond-doc-html-hu - LilyPond HTML Documentation in Hungarian
lilypond-doc-html-it - LilyPond HTML Documentation in Italian
lilypond-doc-html-ja - LilyPond HTML Documentation in Japanese
lilypond-doc-html-nl - LilyPond HTML Documentation in Dutch
lilypond-doc-html-zh - LilyPond HTML Documentation in Chinese
lilypond-doc-pdf - LilyPond PDF Documentation
lilypond-doc-pdf-ca - LilyPond PDF Documentation in Catalan
lilypond-doc-pdf-de - LilyPond PDF Documentation in German
lilypond-doc-pdf-es - LilyPond PDF Documentation in Spanish
lilypond-doc-pdf-fr - LilyPond PDF Documentation in French
lilypond-doc-pdf-hu - LilyPond PDF Documentation in Hungarian
lilypond-doc-pdf-it - LilyPond PDF Documentation in Italian
lilypond-doc-pdf-nl - LilyPond PDF Documentation in Dutch
Closes: 884136
Changes:
lilypond (2.19.81-1~exp2) unstable; urgency=medium
.
* Switch lilypond-invoke-editor to use system* instead of system to fix
CVE-2017-17523 for non textedit:// URIs. (Closes: #884136)
Checksums-Sha1:
4bba1c4765174119d193fbbee22ebe6401add746 4296 lilypond_2.19.81-1~exp2.dsc
f1acc806cf785af604398d68363f3e8e6eefc581 54032 lilypond_2.19.81-1~exp2.debian.tar.xz
cb656a821932147c6f15d49740341fbaaaf5beaf 2298976 lilypond-data_2.19.81-1~exp2_all.deb
353063431c3fe7e0f3d8fc56b267debd382b7580 31718844 lilypond-dbgsym_2.19.81-1~exp2_amd64.deb
6231b70c6ec0c19ae578e35996a34c1d6bb96d71 1608552 lilypond-doc-html-ca_2.19.81-1~exp2_all.deb
a12c0a165788380da620924d15eadc3dfa284316 1335180 lilypond-doc-html-cs_2.19.81-1~exp2_all.deb
b28b14837d2e2e70e20442d8f17381a97c5697ba 1647824 lilypond-doc-html-de_2.19.81-1~exp2_all.deb
e1cb96ac277639ddf8979ea7846266a1e7d190b0 1746796 lilypond-doc-html-es_2.19.81-1~exp2_all.deb
0dfac2b759d4879ebca066803dccc3aae0b8fc4b 1764848 lilypond-doc-html-fr_2.19.81-1~exp2_all.deb
1507f2af560b35ff3ea63905a937d4a3bb73e4dc 1311720 lilypond-doc-html-hu_2.19.81-1~exp2_all.deb
61cb7c66b85ee2aa49dbd196d2db7eff1e537268 1584476 lilypond-doc-html-it_2.19.81-1~exp2_all.deb
65dfd0be276026c0fdb4afcec739303d28df660f 1671412 lilypond-doc-html-ja_2.19.81-1~exp2_all.deb
2d81b40044f58fb61ebfe56ad21d8f90a6caebaf 1314800 lilypond-doc-html-nl_2.19.81-1~exp2_all.deb
d2f8899198fe8989e4b3b40966bc05aac4a0c0d0 1292172 lilypond-doc-html-zh_2.19.81-1~exp2_all.deb
51d39a2f2cbba552fcecf2be64c501732ddbf45b 8877384 lilypond-doc-html_2.19.81-1~exp2_all.deb
53d59777c76daa21f8d0006c908cc87bfd0ae0d6 8859680 lilypond-doc-pdf-ca_2.19.81-1~exp2_all.deb
92edfc48f8b58ab662fe439f89f752d393c1252d 10228080 lilypond-doc-pdf-de_2.19.81-1~exp2_all.deb
8362c25ab6c737b30d448aca38453e2825339ec4 10741912 lilypond-doc-pdf-es_2.19.81-1~exp2_all.deb
7f8c7f1c230192d3760aba6243e557dd139d0818 10782272 lilypond-doc-pdf-fr_2.19.81-1~exp2_all.deb
fb7b8b459de990441d4e1e392127cb3bb350c7cf 4233484 lilypond-doc-pdf-hu_2.19.81-1~exp2_all.deb
b53d8d6c7f75811374d8d8b38fae83481da087a3 10454696 lilypond-doc-pdf-it_2.19.81-1~exp2_all.deb
32a7d6cad4ae36971e65558a9aaeedaa2bd0f53a 3116012 lilypond-doc-pdf-nl_2.19.81-1~exp2_all.deb
5a733d122a99ac1bcd50408ae9491121fff9ce01 18250168 lilypond-doc-pdf_2.19.81-1~exp2_all.deb
06ae1dc766eca50f75ddb1514a97ccb9f7529a9b 16606712 lilypond-doc_2.19.81-1~exp2_all.deb
8b8924869223e94c843eb43ea4599c1d553b0251 20953 lilypond_2.19.81-1~exp2_amd64.buildinfo
a5c43bf489a6d5cf6d7f38dda46c5d31382f8a84 2136000 lilypond_2.19.81-1~exp2_amd64.deb
Checksums-Sha256:
4ca4132c530158cdc648453906cf28370784afefa9ddf073a53a558677ec8885 4296 lilypond_2.19.81-1~exp2.dsc
ca84f327512fac59baaf002487b32a430caf60abcba059e442d02ac3c0516098 54032 lilypond_2.19.81-1~exp2.debian.tar.xz
d039b2d519a3df29249436115cca2fefad24f1a51b93328eccd579a3c807653e 2298976 lilypond-data_2.19.81-1~exp2_all.deb
03729a88995f9a7d19f73039f9b79a7744d3f9c4504da4766e1e41d3e5d8f8e8 31718844 lilypond-dbgsym_2.19.81-1~exp2_amd64.deb
4a542913ff33d393ad0902487a04b90ea8a7e2b5795914d71d6bc1d891b1cfdd 1608552 lilypond-doc-html-ca_2.19.81-1~exp2_all.deb
07134eda8a3e76fed6fa36e1c95cd57da58a26b789067c6e8e08625e3dfd25fa 1335180 lilypond-doc-html-cs_2.19.81-1~exp2_all.deb
37ddace8d29493f9a0f740f7b87d7739e8ba3da925d7331294507ce24423251a 1647824 lilypond-doc-html-de_2.19.81-1~exp2_all.deb
6e3a062301f765464636ae2adc797ed0f66529a78dc25125e09798e363952d0f 1746796 lilypond-doc-html-es_2.19.81-1~exp2_all.deb
8d4e00e5cb4f1a63fc50b6fe3b46dd794aa9ff2d95801ec436fe47707dbcdc4e 1764848 lilypond-doc-html-fr_2.19.81-1~exp2_all.deb
bb8f8d087ea6c2407e3f40f8f735e65cf3579ef7dfa519fb9918f85ef4e19108 1311720 lilypond-doc-html-hu_2.19.81-1~exp2_all.deb
653f3cf9a7e69478f1edb6f77c049b496eb23fa24a758f9845604aa5cf2f4609 1584476 lilypond-doc-html-it_2.19.81-1~exp2_all.deb
a1397577fce6a0dd5266423064db215d5e18e5ce10b24359d06d94078506cfd9 1671412 lilypond-doc-html-ja_2.19.81-1~exp2_all.deb
de4834d4c83b2ac899c881078a6fb457c8f04de1fb63c0a9f795f61bf1b6e594 1314800 lilypond-doc-html-nl_2.19.81-1~exp2_all.deb
db2e508a725d3415513c40f02e92b9deb2d4f11146549d2eb5c8e27993f7a3cf 1292172 lilypond-doc-html-zh_2.19.81-1~exp2_all.deb
c23f5ee75ac09503d6f9686b4fa7f034d89b353aa964ad6ed45da69bcb5eb51d 8877384 lilypond-doc-html_2.19.81-1~exp2_all.deb
de7bb851e671aaa751159e9b9a5d786d2b95ba64b0873c3c7daf34ebe7080943 8859680 lilypond-doc-pdf-ca_2.19.81-1~exp2_all.deb
7cbc05d9fc13c2eaa153ecb0381216df940466033ac7e5b97a69f42a673d0d48 10228080 lilypond-doc-pdf-de_2.19.81-1~exp2_all.deb
b5641c1063750dcbaa48e4c984e5424bc4554fb81f13bf1c03eca486795c7afd 10741912 lilypond-doc-pdf-es_2.19.81-1~exp2_all.deb
e04acad040822d6a44d1a7d16471020b3dce7591993ed8e69b12082e86ac84e8 10782272 lilypond-doc-pdf-fr_2.19.81-1~exp2_all.deb
b64cdfe7a478df6b7f65320f619b5a303cf243627db08467e7d1da425e313b43 4233484 lilypond-doc-pdf-hu_2.19.81-1~exp2_all.deb
7bfde9e97c9bd3253cba5e21606046912963d823f2684f4b5ea558506041e1e3 10454696 lilypond-doc-pdf-it_2.19.81-1~exp2_all.deb
3cbccd9804b7132ce1a3e30eb1ef893681bc8c7ff395c5a1a24c5253c5acd0be 3116012 lilypond-doc-pdf-nl_2.19.81-1~exp2_all.deb
e5ab358f6d437df70f0a27da5f8a9be40f06519d1d218fd0927498a84c109739 18250168 lilypond-doc-pdf_2.19.81-1~exp2_all.deb
fc34ff30f8e14c0f3e4ebe077576bdf5350425b02b369560e0d685eb2f6df86d 16606712 lilypond-doc_2.19.81-1~exp2_all.deb
a9e9ce4845010bd6bdb645ef30d2630fa981bbb8c6a39fe06b035a549028081e 20953 lilypond_2.19.81-1~exp2_amd64.buildinfo
5b6714fc56070ce3eda8bfc8ab9115d1c20c866d0577075acc8b23305d942baa 2136000 lilypond_2.19.81-1~exp2_amd64.deb
Files:
05f3fd897e17522293ef43f4bf663a51 4296 tex optional lilypond_2.19.81-1~exp2.dsc
809aa0ea20c6dcb6fb2571d6a6854e9c 54032 tex optional lilypond_2.19.81-1~exp2.debian.tar.xz
73bcda0b59b246872160585affdbf3d9 2298976 tex optional lilypond-data_2.19.81-1~exp2_all.deb
343bfa671d90ec8f389892ce4b5a6303 31718844 debug optional lilypond-dbgsym_2.19.81-1~exp2_amd64.deb
bdd4e832aaba6dcddafb405da0ac8456 1608552 doc optional lilypond-doc-html-ca_2.19.81-1~exp2_all.deb
b3ce206b0a3aeb8fbe465f64d61b2a09 1335180 doc optional lilypond-doc-html-cs_2.19.81-1~exp2_all.deb
e9a2fcdb67f723eee08c0b50d2be671a 1647824 doc optional lilypond-doc-html-de_2.19.81-1~exp2_all.deb
0efdda2d39cd37a748f700fa77e7bfa1 1746796 doc optional lilypond-doc-html-es_2.19.81-1~exp2_all.deb
f4a14b494fe7d05d7a9d61ef102fc4f5 1764848 doc optional lilypond-doc-html-fr_2.19.81-1~exp2_all.deb
c27cb73b29174642b4f163a76f76b1bc 1311720 doc optional lilypond-doc-html-hu_2.19.81-1~exp2_all.deb
0772b5a244dd7deadaf7cbc3ac39c2d8 1584476 doc optional lilypond-doc-html-it_2.19.81-1~exp2_all.deb
8f792208ba0e8c3c2f5599efdd831007 1671412 doc optional lilypond-doc-html-ja_2.19.81-1~exp2_all.deb
05b85d143148cbf21d1f5d0c2a811ce6 1314800 doc optional lilypond-doc-html-nl_2.19.81-1~exp2_all.deb
9f09ccf77ac836a38f639cbe0a48f96c 1292172 doc optional lilypond-doc-html-zh_2.19.81-1~exp2_all.deb
6a59e7b24e2d471a44300450a959521b 8877384 doc optional lilypond-doc-html_2.19.81-1~exp2_all.deb
a487fe3b2135f61177b6416ec16b8b40 8859680 doc optional lilypond-doc-pdf-ca_2.19.81-1~exp2_all.deb
2bd4cde5701fc6d9052861ad8f0480fd 10228080 doc optional lilypond-doc-pdf-de_2.19.81-1~exp2_all.deb
215981fdea5deaed21a5ae34683ec576 10741912 doc optional lilypond-doc-pdf-es_2.19.81-1~exp2_all.deb
928bc8e89383ecbf53186dca80cb467a 10782272 doc optional lilypond-doc-pdf-fr_2.19.81-1~exp2_all.deb
906ee915f1160911630e33db59ee8bbc 4233484 doc optional lilypond-doc-pdf-hu_2.19.81-1~exp2_all.deb
b1573b2e22d24c286e77e36654cdc4aa 10454696 doc optional lilypond-doc-pdf-it_2.19.81-1~exp2_all.deb
87725600c876d42fee5690dd6e0b1ed9 3116012 doc optional lilypond-doc-pdf-nl_2.19.81-1~exp2_all.deb
8beffd7f302935aba106a2c16eb7a89c 18250168 doc optional lilypond-doc-pdf_2.19.81-1~exp2_all.deb
73b158f84516977bcb8fdddfd293264e 16606712 doc optional lilypond-doc_2.19.81-1~exp2_all.deb
61e78a9c2a6a237159260806eefacef7 20953 tex optional lilypond_2.19.81-1~exp2_amd64.buildinfo
f4b1adf0a12e1c58adfc42db53d2a365 2136000 tex optional lilypond_2.19.81-1~exp2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN5QgYeBoIEyihVyW9VAlZYpmvz8FAlr19swACgkQ9VAlZYpm
vz+L4Q/+NBCLxosXKoQNOr7ILxZzypW4irjwJ4ucCGTUy7nzUdBjl+mQ2xWehmdn
UgmgiG9EhFDqrNTBKPltda03xqqAVeDIZ7hp7nZSI/g10TC1OSt4CY2m4c5aIA+k
XijjPuc3WgrwTGuQm4F4JtsorU2M9pfPa/+HJE9nEEflWxrKIAtACwNt6z0FTdcN
9U8Y2mtdHJbWgEXuJ/Tp7ipmXArbrpjFyEoNTpeNfXqb8Cz6Vj2/rvXd8RWXEIbr
sXA2ZrrvOHf9h0p62eGClpGOHiRjArbVQcaXAiDHHwS9zBIuZTM7GfEjjr91eyRV
bTFkD04Ft6Bwoqps2x5Q/r0Rdte29H1yZc6USnAsiKJWb/jivvWBRGfbJAz8Nx5Q
KFjCkE0vSSS+kAJ+l0OzxEbGR9o+Tb4uxxqY1drY308kFIecFk5z7zggXRDXzvpg
NOQAzUDbPCJPn2wI3su4fJhRfqRu4r9Z9+ePV3vZzmhv4mGt21MAAoTJ1ScW4zno
bz3FKFHgRQ+xPe+I4WAoUNjU/cxtpcJHOuWqniMpz1Xok/sbrkmGceYUrrRxHdYG
+yWbcNRH2b5EVjhRgU9t1Xk5s77jHJZt8pNy9ZMoxgTYjbjdRLp4LhTwmgjONLwB
uZokIDxB7Oc+bigpGbBwdk1yYC5JO9KPksa0RiRfNfQ0U+ytyv0=
=qq/e
-----END PGP SIGNATURE-----
Disconnected #898373 from all other report(s).
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 12 May 2018 06:27:03 GMT) (full text, mbox, link).
Changed Bug title to 'lilypond: CVE-2018-10992' from 'lilypond: CVE-2017-17523 (again)'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 12 May 2018 06:27:05 GMT) (full text, mbox, link).
Message sent on
to Gabriel Corona <gabriel.corona@enst-bretagne.fr>:
Bug#898373.
(Sat, 12 May 2018 06:27:08 GMT) (full text, mbox, link).
Message #38 received at 898373-submitter@bugs.debian.org (full text, mbox, reply):
unmerge 898373
retitle 884136 lilypond: CVE-2017-17523
found 884136 2.18.2-4
close 884136 2.18.2-12
close 884136 2.19.81-1~exp1
retitle 898373 lilypond: CVE-2018-10992
found 898373 2.18.2-12
found 898373 2.19.81-1~exp1
close 898373 2.18.2-13
close 898373 2.19.81-1~exp2
thanks
CVE-2018-10992 was assigned separately to #898373 as incomplete fix for CVE-2017-17523 (#884136).
No longer marked as found in versions lilypond/2.18.2-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 12 May 2018 06:39:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 15 Jun 2018 07:29:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:00:15 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon