Your message dated Fri, 11 May 2018 16:35:58 +0000
with message-id <[email protected]>
and subject line Bug#884136: fixed in lilypond 2.18.2-13
has caused the Debian Bug report #884136,
regarding lilypond: CVE-2017-17523
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
884136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884136
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lilypond
Version: 2.18.2-4
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for lilypond.
For a description of the issue see [1], in the "Similar
vulnerabilities in other packages" section.
CVE-2017-17523[0]:
| lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings
| before launching the program specified by the BROWSER environment
| variable, which allows remote attackers to conduct argument-injection
| attacks via a crafted URL, as demonstrated by a --proxy-pac-file
| argument.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17523
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17523
[1] https://bugs.debian.org/881767
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lilypond
Source-Version: 2.18.2-13
We believe that the bug you reported is fixed in the latest version of
lilypond, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Don Armstrong <[email protected]> (supplier of updated lilypond package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 May 2018 17:24:03 -0700
Source: lilypond
Binary: lilypond lilypond-data lilypond-doc lilypond-doc-pdf lilypond-doc-html
lilypond-doc-html-cs lilypond-doc-html-de lilypond-doc-html-es
lilypond-doc-html-fr lilypond-doc-html-hu lilypond-doc-html-it
lilypond-doc-html-ja lilypond-doc-html-nl lilypond-doc-html-zh
lilypond-doc-pdf-de lilypond-doc-pdf-es lilypond-doc-pdf-fr lilypond-doc-pdf-hu
lilypond-doc-pdf-it lilypond-doc-pdf-nl
Architecture: source all amd64
Version: 2.18.2-13
Distribution: unstable
Urgency: medium
Maintainer: Don Armstrong <[email protected]>
Changed-By: Don Armstrong <[email protected]>
Description:
lilypond - program for typesetting sheet music
lilypond-data - LilyPond music typesetter (data files)
lilypond-doc - LilyPond Documentation in info format (and metapackage)
lilypond-doc-html - LilyPond HTML Documentation
lilypond-doc-html-cs - LilyPond HTML Documentation in Czech
lilypond-doc-html-de - LilyPond HTML Documentation in German
lilypond-doc-html-es - LilyPond HTML Documentation in Spanish
lilypond-doc-html-fr - LilyPond HTML Documentation in French
lilypond-doc-html-hu - LilyPond HTML Documentation in Hungarian
lilypond-doc-html-it - LilyPond HTML Documentation in Italian
lilypond-doc-html-ja - LilyPond HTML Documentation in Japanese
lilypond-doc-html-nl - LilyPond HTML Documentation in Dutch
lilypond-doc-html-zh - LilyPond HTML Documentation in Chinese
lilypond-doc-pdf - LilyPond PDF Documentation
lilypond-doc-pdf-de - LilyPond PDF Documentation in German
lilypond-doc-pdf-es - LilyPond PDF Documentation in Spanish
lilypond-doc-pdf-fr - LilyPond PDF Documentation in French
lilypond-doc-pdf-hu - LilyPond PDF Documentation in Hungarian
lilypond-doc-pdf-it - LilyPond PDF Documentation in Italian
lilypond-doc-pdf-nl - LilyPond PDF Documentation in Dutch
Closes: 884136
Changes:
lilypond (2.18.2-13) unstable; urgency=medium
.
* Switch lilypond-invoke-editor to use system* instead of system to fix
CVE-2017-17523 for non textedit:// URIs. (Closes: #884136)
Checksums-Sha1:
e2dbdb0d7466b7c329075c47f0a50ad832719126 4101 lilypond_2.18.2-13.dsc
5af8bc66624c76b6ad6a823dfa44f4ca3ddb336f 58568 lilypond_2.18.2-13.debian.tar.xz
3c17dc901e4a61d50d1fd0494fac5e0eeac248a1 1816008
lilypond-data_2.18.2-13_all.deb
b2d5e3924e81597fa97ab7cb3c327f14030feb22 23001108
lilypond-dbgsym_2.18.2-13_amd64.deb
c6d38f1c7d38418a4e269b9f00febe8c778ab1af 1275300
lilypond-doc-html-cs_2.18.2-13_all.deb
6c674f7e488036b4054b22a1c0c6bb82fd922de4 1536380
lilypond-doc-html-de_2.18.2-13_all.deb
c040fc83580c4e53d56db8874d2d089b4afebc18 1601204
lilypond-doc-html-es_2.18.2-13_all.deb
2c1b5f9e2065a761402e6b79c62e07dea0b3a845 1609212
lilypond-doc-html-fr_2.18.2-13_all.deb
81b1aebbe5dd3c898494e1a081f9b23619e5aa0f 1244044
lilypond-doc-html-hu_2.18.2-13_all.deb
06d4e2987e71846393111a26badb7721797f3c0c 1434988
lilypond-doc-html-it_2.18.2-13_all.deb
51ee24e9ecfb83bd0c7f92c3d2a730deae765d78 1528004
lilypond-doc-html-ja_2.18.2-13_all.deb
e05db39558dab8e9d0c081a4cc36d33ad0d3578b 1256284
lilypond-doc-html-nl_2.18.2-13_all.deb
05bbbfffd31cc047fa92b61fb35fb7399d42d7c1 1232996
lilypond-doc-html-zh_2.18.2-13_all.deb
f00b0a9af662cbb662ee14481fe2c85523647377 8350544
lilypond-doc-html_2.18.2-13_all.deb
5809d44c6d78579097677d05388369b8f14d2f6e 17407572
lilypond-doc-pdf-de_2.18.2-13_all.deb
09d5e1afec1cd40bbcf8426af01840a822c45592 18224416
lilypond-doc-pdf-es_2.18.2-13_all.deb
b4d707ed2a1d193eadc1af3a7b1bff0a4df7f302 17864132
lilypond-doc-pdf-fr_2.18.2-13_all.deb
72ab44f56ec8e277cfc9ac80368738b2abb2936c 1609268
lilypond-doc-pdf-hu_2.18.2-13_all.deb
8221ec49b32d3e787363d659578c611d2f4574c4 16272224
lilypond-doc-pdf-it_2.18.2-13_all.deb
5bc13da5a1fa009b8985b54a7e17f8876fc80da9 2560368
lilypond-doc-pdf-nl_2.18.2-13_all.deb
6e1943a3c41bb90da4a83c58beee12fd8ec3c51e 30290588
lilypond-doc-pdf_2.18.2-13_all.deb
4e7610feb4476f12d56ae0f4a4cc64eed62866b5 15208340
lilypond-doc_2.18.2-13_all.deb
9bbb53d3b120bdd8b201c9e0265354172b65b813 19843
lilypond_2.18.2-13_amd64.buildinfo
54ce7fca65f52d50173b58048d94afc6f8232b4b 1893308 lilypond_2.18.2-13_amd64.deb
Checksums-Sha256:
adc31dfdba6acc19344863ea586cdd19cbdf08de6a18a89c48a3107c764f1dd2 4101
lilypond_2.18.2-13.dsc
dd706e795cdc89fad1e7edb434d374ff270ddae336563d7e07b9bbdcac60a997 58568
lilypond_2.18.2-13.debian.tar.xz
751b5a160e9140948ac7d90f61072881a58cfde9800e01b18c693ca4a61e6c06 1816008
lilypond-data_2.18.2-13_all.deb
38b2bef24275e8af8087347bea6bee7c5afa9eac38193c9e79dda9ae4e7f8660 23001108
lilypond-dbgsym_2.18.2-13_amd64.deb
2dc1ac40f0d841248dab643357a596ec5cf73da6f93ae7055e29de78a456b05b 1275300
lilypond-doc-html-cs_2.18.2-13_all.deb
829a53fc1f3741561b4ce46576504d29a953e631ab3a40645ae22b179ff79d61 1536380
lilypond-doc-html-de_2.18.2-13_all.deb
cf215ed17a614a86d55e516368920f014aa75c11be7ff6f3e69ca0e3a57ddaf4 1601204
lilypond-doc-html-es_2.18.2-13_all.deb
935979e073a518608b408764f36780d429d7a539536c0df09740a5c5dcd757da 1609212
lilypond-doc-html-fr_2.18.2-13_all.deb
f247af80b48637b115be0bfdd3241d1e87dbb94688490df7ef19fe204ab19f49 1244044
lilypond-doc-html-hu_2.18.2-13_all.deb
e1607c1e436eb6c3207ea1baba909283ccc079437747370eec3ab509a2f71b18 1434988
lilypond-doc-html-it_2.18.2-13_all.deb
ea6dd2957cfb4bbc3cf45e91cf95c913e9e15631c11be667a87002937cf4f3da 1528004
lilypond-doc-html-ja_2.18.2-13_all.deb
0a3b329adf3d356077dc54d20d94c8ffe39935ac16eb49c030670d60eeb62e1e 1256284
lilypond-doc-html-nl_2.18.2-13_all.deb
2d633f33265700c5894fe63a88dfc395f0a55518024eb9c7ad80b91f26f3b58f 1232996
lilypond-doc-html-zh_2.18.2-13_all.deb
b94d160a9768e7f50fdc78b0de1445d3a4320665b6841e3605781d8444a31b8d 8350544
lilypond-doc-html_2.18.2-13_all.deb
95238c71d266761d22e8e72b958483702d63364f4289ebfdd795fe5ece4afc10 17407572
lilypond-doc-pdf-de_2.18.2-13_all.deb
3d6b29baeaf3141d6102c0584f63cfecaa36575ea7a86b92b29ac375c1972a4b 18224416
lilypond-doc-pdf-es_2.18.2-13_all.deb
479ce237b04fcde52d569b813ab918fb495b868463a5b4e0fc1c11b370db2e9c 17864132
lilypond-doc-pdf-fr_2.18.2-13_all.deb
a49b375d5588f361315d107278c27acbdc61c1e18f1a06129c009616e8e3ccec 1609268
lilypond-doc-pdf-hu_2.18.2-13_all.deb
90a1ef296665bcbcfcac9b9e12c704541c961812d09765a0b9010e439ee39a2b 16272224
lilypond-doc-pdf-it_2.18.2-13_all.deb
a21718f331436657802161a50b511de60a8a8624c1d65f4579d6b04ffcf96250 2560368
lilypond-doc-pdf-nl_2.18.2-13_all.deb
700106b4d30451457cadbc10a4026a0a66c627381c7139b8bcd0b420cf0d3a92 30290588
lilypond-doc-pdf_2.18.2-13_all.deb
3536920cae67c52712b0bb5cdaf14e30cb6424f5e916f728404ce6de89484508 15208340
lilypond-doc_2.18.2-13_all.deb
5bb455925e3f216694824f0346be553796bc645610fe54d341df865e609b7be8 19843
lilypond_2.18.2-13_amd64.buildinfo
b17fa777f8b3aedfb60f7b8b5c8a24cc0037735636d0997ff422c7df86012edd 1893308
lilypond_2.18.2-13_amd64.deb
Files:
2aeb0b28ab63993044dd5ab489e36fa7 4101 tex optional lilypond_2.18.2-13.dsc
311cef89fb69f7d442c8bea475085aff 58568 tex optional
lilypond_2.18.2-13.debian.tar.xz
143212a0d6b4b15324f9f1a665b7cf31 1816008 tex optional
lilypond-data_2.18.2-13_all.deb
d40b42def212f5d7666a053408c7cf89 23001108 debug optional
lilypond-dbgsym_2.18.2-13_amd64.deb
20d51362d62a9df160b24f9b439a19b7 1275300 doc optional
lilypond-doc-html-cs_2.18.2-13_all.deb
2cc00fac6ea92cdb9523acdcaf3e3cf1 1536380 doc optional
lilypond-doc-html-de_2.18.2-13_all.deb
55569ae7310c69b3149856b855dee051 1601204 doc optional
lilypond-doc-html-es_2.18.2-13_all.deb
6e4a7e7d5e6d930423aba719fb9faf2f 1609212 doc optional
lilypond-doc-html-fr_2.18.2-13_all.deb
3bbffab4d5856d559ae6ab8691696022 1244044 doc optional
lilypond-doc-html-hu_2.18.2-13_all.deb
b3b90a6522742f407e462ac7a51e4d98 1434988 doc optional
lilypond-doc-html-it_2.18.2-13_all.deb
abe271fda3ec8145932e52496d3da56b 1528004 doc optional
lilypond-doc-html-ja_2.18.2-13_all.deb
08406c7cb9ca99860d4435bded327781 1256284 doc optional
lilypond-doc-html-nl_2.18.2-13_all.deb
1a5e2be9fb747881daf13cba18cb7fa1 1232996 doc optional
lilypond-doc-html-zh_2.18.2-13_all.deb
08e7f878beb9ae447955778226c20613 8350544 doc optional
lilypond-doc-html_2.18.2-13_all.deb
6d91aa5132600f6bf627ee6427bf029d 17407572 doc optional
lilypond-doc-pdf-de_2.18.2-13_all.deb
45544780d70b99e300997f0686f16247 18224416 doc optional
lilypond-doc-pdf-es_2.18.2-13_all.deb
588e6eb45e470734a379454ecd2e7ede 17864132 doc optional
lilypond-doc-pdf-fr_2.18.2-13_all.deb
867562f76cce0202c6610d083b5717f6 1609268 doc optional
lilypond-doc-pdf-hu_2.18.2-13_all.deb
dbd40d3577007d5a091ec29bcd2c2f15 16272224 doc optional
lilypond-doc-pdf-it_2.18.2-13_all.deb
f0bcd2136f915f5cd0fa78209fbfe1d0 2560368 doc optional
lilypond-doc-pdf-nl_2.18.2-13_all.deb
4dc3812797a1e170e10e5e9380236008 30290588 doc optional
lilypond-doc-pdf_2.18.2-13_all.deb
e820b33a66fdedf35b0e32301be23dc0 15208340 doc optional
lilypond-doc_2.18.2-13_all.deb
16178f19f7c14ea765b282de28745daf 19843 tex optional
lilypond_2.18.2-13_amd64.buildinfo
588cf1f239e62aa0a0e3890869bbc7b3 1893308 tex optional
lilypond_2.18.2-13_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN5QgYeBoIEyihVyW9VAlZYpmvz8FAlr1wVMACgkQ9VAlZYpm
vz8Qkw/8CQGdNbJD0eoouBGpHDH/YfNly8iXclfjqDsGSsIAkdg6DetneX/zDrly
fcApsy4tAaKiwXcaG/HLizHgPnxKeYnhhBu1OC/wQ37YQjnQyLTO7XyDHmJo08z3
23kZPM50nQ8OuMQUbtq3U/rABtr0q6XXjLzbp1NmtnQ6MOLAjVoJeMZEb6jtE61O
6fIEsBKrGAFCQrxdFCD1vByv9+w0iqXKTnuuDMkcH9sBXb+M9P+QgyxXUITnqzfo
kPwj+3B/nQ5lvMJdWkYDdIIi9yZU+xti4xnfJAeJ/fjV9Be8ZCgkQhP3fh5l/Au7
5rjZZoTSOslN0+ZgAxkNM7x6EKDLUGRx6fD6BftNDiKecKDX4tz4/wkQNbqNw8ni
MXEL8+eJbY3lz/grUWeWKSjGaqur63AFhd7GEeimcwMihzP7dUdSxuwEd6A2LPyQ
RUlCKbiY3cm4eD8O7+jn2K8c+G8W85LZB/XA6Pt0WEI1UKLkkc6FB6wmfZPvMQcb
oTQlDyTk/xs0XElO4GlxqAMlVlxw5UJDAL91b6Nb0fINFFK+oP29Q/ABBAbewWRG
m09/KtUl7NL+AxrKJkGR+Q9beNnQd9zLkVlDMtEWIsECIZ3TSCqkSLeaybnpscSd
0IyU5V9cEw3o1MgG6GENE7L1lpXQOozVTZ+zPZYVhxJtI5D/TlE=
=TNlx
-----END PGP SIGNATURE-----
--- End Message ---
