Security update for lilypond SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1360-1 Final 1 1 2018-05-20T21:16:19Z current 2018-05-20T21:16:19Z 2018-05-20T21:16:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for lilypond This update for lilypond fixes the following issues: - CVE-2018-10992: lilypond: Does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks (bsc#1093056) - packages do not build reproducibly from unsorted input (bsc#1041090) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-05/msg00088.html E-Mail link for openSUSE-SU-2018:1360-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 lilypond-2.18.2-7.3.1 lilypond-century-schoolbook-l-fonts-2.18.2-7.3.1 lilypond-doc-2.18.2-7.3.1 lilypond-doc-cs-2.18.2-7.3.1 lilypond-doc-de-2.18.2-7.3.1 lilypond-doc-es-2.18.2-7.3.1 lilypond-doc-fr-2.18.2-7.3.1 lilypond-doc-hu-2.18.2-7.3.1 lilypond-doc-it-2.18.2-7.3.1 lilypond-doc-ja-2.18.2-7.3.1 lilypond-doc-nl-2.18.2-7.3.1 lilypond-doc-zh-2.18.2-7.3.1 lilypond-emmentaler-fonts-2.18.2-7.3.1 lilypond-fonts-common-2.18.2-7.3.1 lilypond-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-century-schoolbook-l-fonts-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-cs-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-de-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-es-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-fr-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-hu-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-it-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-ja-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-nl-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-doc-zh-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-emmentaler-fonts-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-fonts-common-2.18.2-7.3.1 as a component of openSUSE Leap 42.3 lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523. CVE-2018-10992 openSUSE Leap 42.3:lilypond-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-century-schoolbook-l-fonts-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-cs-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-de-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-es-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-fr-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-hu-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-it-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-ja-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-nl-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-doc-zh-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-emmentaler-fonts-2.18.2-7.3.1 openSUSE Leap 42.3:lilypond-fonts-common-2.18.2-7.3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-05/msg00088.html https://www.suse.com/security/cve/CVE-2018-10992.html CVE-2018-10992 https://bugzilla.suse.com/1093056 SUSE Bug 1093056