Unrated severityNVD Advisory· Published Apr 15, 2023· Updated Feb 6, 2025
CVE-2020-17354
CVE-2020-17354
Description
LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
6- osv-coords4 versionspkg:rpm/opensuse/guile1&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/lilypond&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/guile1&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/lilypond&distro=SUSE%20Package%20Hub%2015%20SP4
< 2.2.6-bp154.3.3.1+ 3 more
- (no CPE)range: < 2.2.6-bp154.3.3.1
- (no CPE)range: < 2.24.1-bp154.2.3.2
- (no CPE)range: < 2.2.6-bp154.3.3.1
- (no CPE)range: < 2.24.1-bp154.2.3.2
Patches
Vulnerability mechanics
References
8- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/mitrevendor-advisory
- lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usagemitre
- gitlab.com/lilypond/lilypond/-/merge_requests/1522mitre
- lilypond.org/download.htmlmitre
- phabricator.wikimedia.org/T259210mitre
- tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/mitre
- www.mediawiki.org/wiki/Extension:Score/2021_security_advisorymitre
News mentions
0No linked articles in our index yet.