[Secure-testing-team] Bug#884136: lilypond: CVE-2017-17523
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 11 20:10:13 UTC 2017
Source: lilypond
Version: 2.18.2-4
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for lilypond.
For a description of the issue see [1], in the "Similar
vulnerabilities in other packages" section.
CVE-2017-17523[0]:
| lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings
| before launching the program specified by the BROWSER environment
| variable, which allows remote attackers to conduct argument-injection
| attacks via a crafted URL, as demonstrated by a --proxy-pac-file
| argument.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17523
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17523
[1] https://bugs.debian.org/881767
Regards,
Salvatore
More information about the Secure-testing-team
mailing list