Source: lilypond Version: 2.20.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.19.81+really-2.18.2-13
Hi, The following vulnerability was published for lilypond. CVE-2020-17353[0]: | scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x | through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps | and embedded-svg, as demonstrated by including dangerous PostScript | code. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-17353 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17353 [1] http://git.savannah.gnu.org/gitweb/?p=lilypond.git;a=commit;h=b84ea4740f3279516905c5db05f4074e777c16ff Regards, Salvatore