Your message dated Mon, 29 Jan 2018 21:07:27 +0000
with message-id <[email protected]>
and subject line Bug#884136: fixed in lilypond 2.18.2-12
has caused the Debian Bug report #884136,
regarding lilypond: CVE-2017-17523
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
884136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884136
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lilypond
Version: 2.18.2-4
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for lilypond.
For a description of the issue see [1], in the "Similar
vulnerabilities in other packages" section.
CVE-2017-17523[0]:
| lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings
| before launching the program specified by the BROWSER environment
| variable, which allows remote attackers to conduct argument-injection
| attacks via a crafted URL, as demonstrated by a --proxy-pac-file
| argument.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17523
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17523
[1] https://bugs.debian.org/881767
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lilypond
Source-Version: 2.18.2-12
We believe that the bug you reported is fixed in the latest version of
lilypond, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <[email protected]> (supplier of updated lilypond package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 29 Jan 2018 20:59:58 +0100
Source: lilypond
Binary: lilypond lilypond-data lilypond-doc lilypond-doc-pdf lilypond-doc-html
lilypond-doc-html-cs lilypond-doc-html-de lilypond-doc-html-es
lilypond-doc-html-fr lilypond-doc-html-hu lilypond-doc-html-it
lilypond-doc-html-ja lilypond-doc-html-nl lilypond-doc-html-zh
lilypond-doc-pdf-de lilypond-doc-pdf-es lilypond-doc-pdf-fr lilypond-doc-pdf-hu
lilypond-doc-pdf-it lilypond-doc-pdf-nl
Architecture: source
Version: 2.18.2-12
Distribution: unstable
Urgency: medium
Maintainer: Don Armstrong <[email protected]>
Changed-By: Dr. Tobias Quathamer <[email protected]>
Description:
lilypond - program for typesetting sheet music
lilypond-data - LilyPond music typesetter (data files)
lilypond-doc - LilyPond Documentation in info format (and metapackage)
lilypond-doc-html - LilyPond HTML Documentation
lilypond-doc-html-cs - LilyPond HTML Documentation in Czech
lilypond-doc-html-de - LilyPond HTML Documentation in German
lilypond-doc-html-es - LilyPond HTML Documentation in Spanish
lilypond-doc-html-fr - LilyPond HTML Documentation in French
lilypond-doc-html-hu - LilyPond HTML Documentation in Hungarian
lilypond-doc-html-it - LilyPond HTML Documentation in Italian
lilypond-doc-html-ja - LilyPond HTML Documentation in Japanese
lilypond-doc-html-nl - LilyPond HTML Documentation in Dutch
lilypond-doc-html-zh - LilyPond HTML Documentation in Chinese
lilypond-doc-pdf - LilyPond PDF Documentation
lilypond-doc-pdf-de - LilyPond PDF Documentation in German
lilypond-doc-pdf-es - LilyPond PDF Documentation in Spanish
lilypond-doc-pdf-fr - LilyPond PDF Documentation in French
lilypond-doc-pdf-hu - LilyPond PDF Documentation in Hungarian
lilypond-doc-pdf-it - LilyPond PDF Documentation in Italian
lilypond-doc-pdf-nl - LilyPond PDF Documentation in Dutch
Closes: 884136
Changes:
lilypond (2.18.2-12) unstable; urgency=medium
.
* Fix argument injection in lilypond-invoke-editor, CVE-2017-17523.
This is a cherry-pick of upstream's fix, see
https://sourceforge.net/p/testlilyissues/issues/5243/ (Closes: #884136)
* Update Standards-Version to 4.1.3, no changes needed
* Update d/copyright
* Switch Vcs-URLs to salsa.d.o and add default branch for git
Checksums-Sha1:
721bd0a5fd1b00c52fbd34538e94ce6230610b06 4101 lilypond_2.18.2-12.dsc
e5c0d89f7db7cad9d1c551bac58e1cd8904a51da 58320 lilypond_2.18.2-12.debian.tar.xz
7e986ea63a9675fa3060f81480fd9e5621d1648b 19427
lilypond_2.18.2-12_amd64.buildinfo
Checksums-Sha256:
c4ee20940268e351d7766b1461beacf85572718e1bacf21226acac3a1e7a7f98 4101
lilypond_2.18.2-12.dsc
1ab66f3effedf85fcd117f3011c56dbdc79e207628cc173a58e4bd80da9baacb 58320
lilypond_2.18.2-12.debian.tar.xz
8102163522ac75c39370e8bc9a740f101b324d0eddf4f14e065b3812d707cb35 19427
lilypond_2.18.2-12_amd64.buildinfo
Files:
ee04061124a8ae6073e846aa1f1c7275 4101 tex optional lilypond_2.18.2-12.dsc
4107e4e1de7799e557b1e2e4ed2151d1 58320 tex optional
lilypond_2.18.2-12.debian.tar.xz
f17fedb7402580bb601b74ec22cfa9ca 19427 tex optional
lilypond_2.18.2-12_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlpvhjgACgkQEwLx8Dbr
6xmZzQ/+Oyg5eRwIWmF/y1gzwi/96dDDufA2TYgdA1zLyFY+vHLBtQEIiuv9umM+
TLw49xxkeaH8QnMGay1Fy5+/fogRkYEK7IN62nYXrLUj4pQmMfgQxzgulN7Cq1Mw
stRie0+GuQelQMOQWsiuEiLmvRhqx/nXyUSgHfGS8sIbg3mWXkSKadzi9pVI+IKx
RMiN9eHbXpurYNqUPI4ofkZXcOooU1XVUUGz9YGRTcoHjaYJ6p/cHvQ4t9wNVg1d
MFOel6/t/WiqTCEISQG5XOx9Opc71z1lA0PTmoiN7Yt78NX3QED5IIwRSvDHd6yO
5KPOEZGoKChwgRcVLAU+Uf3vIXX7U2dBoGz5jsf7OECKSEzKou5PDvl4EYrOdXb+
kuoC6GKEk1fFVgtdAEHiL3F65v8CVkfA1T6uFxwkcPD68Lw77yqg/zwmRpvOr3GP
FqQJ8hzfhN+fMFzwpS53MZtzYTNdtrlKJyOkZgq2G9va7Jxjy7p5UZUY8KHP8lCb
qc8JtRqdckvjGlh5ChZhpWdsSuTE+v5jCeJLmEljz46RBTJS2HMjvfChiPvxcISO
kTts5ZiEqHrLjOKtEtFXPqM9raVGxonCtXQwLXCYodCjoX2RNcUrQ/rzT/EsTNYV
kqyo0xbCtESYHKUb2dd4x/3P07Ip1/Us2e6OAw4XTqnFYzv30Yk=
=NNwc
-----END PGP SIGNATURE-----
--- End Message ---
