commit: b643169012fae9013d509ef7fc19602450113b77 Author: Miroslav Šulc <fordfrog <AT> gentoo <DOT> org> AuthorDate: Wed Aug 5 17:57:09 2020 +0000 Commit: Miroslav Šulc <fordfrog <AT> gentoo <DOT> org> CommitDate: Wed Aug 5 17:57:26 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6431690
media-sound/lilypond: fixed cve-2020-17353 Bug: https://bugs.gentoo.org/736074 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog <AT> gentoo.org> .../files/lilypond-fix-cve-2020-17353.patch | 101 +++++++++++++++++++++ ...ond-2.21.4.ebuild => lilypond-2.21.1-r1.ebuild} | 5 +- ...ond-2.21.4.ebuild => lilypond-2.21.4-r1.ebuild} | 1 + 3 files changed, 105 insertions(+), 2 deletions(-) diff --git a/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch new file mode 100644 index 00000000000..e91947eae05 --- /dev/null +++ b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch @@ -0,0 +1,101 @@ +From b84ea4740f3279516905c5db05f4074e777c16ff Mon Sep 17 00:00:00 2001 +From: Han-Wen Nienhuys <[email protected]> +Date: Tue, 21 Jul 2020 14:45:08 +0200 +Subject: [PATCH] scm: disable embedded-ps and embedded-svg in -dsafe mode + +This prevents executing privileged PostScript and exploiting +Ghostscript vulnerablilities + +Tested: + $ lilypond -dsafe input/regression/les-nereides.ly + (works, kinda) + + $ cat f.ly + { c4_ \markup \postscript #" (x) show " } + + $ lilypond -dsafe f + Preprocessing graphical objects.../home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: In procedure ly_make_stencil in expression (ly:make-stencil (list # #) (quote #) ...): + /home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps " +--- + scm/define-stencil-commands.scm | 65 ++++++++++++++++++++++------------------- + 1 file changed, 35 insertions(+), 30 deletions(-) + +diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm +index 09a2299..e388788 100644 +--- a/scm/define-stencil-commands.scm ++++ b/scm/define-stencil-commands.scm +@@ -21,36 +21,41 @@ + (define-public (ly:all-stencil-commands) + "Return the list of stencil commands that can be + defined in the output modules (@file{output-*.scm})." +- '(blank +- char +- circle +- dashed-line +- draw-line +- ellipse +- embedded-ps +- embedded-svg +- end-group-node +- glyph-string +- grob-cause +- named-glyph +- no-origin +- page-link +- path +- partial-ellipse +- placebox +- polygon +- resetcolor +- resetrotation +- resetscale +- round-filled-box +- setcolor +- setrotation +- setscale +- start-group-node +- text +- unknown +- url-link +- utf-8-string ++ (let* ++ ((commands '(blank ++ char ++ circle ++ dashed-line ++ draw-line ++ ellipse ++ end-group-node ++ glyph-string ++ grob-cause ++ named-glyph ++ no-origin ++ page-link ++ path ++ partial-ellipse ++ placebox ++ polygon ++ resetcolor ++ resetrotation ++ resetscale ++ round-filled-box ++ setcolor ++ setrotation ++ setscale ++ start-group-node ++ text ++ unknown ++ url-link ++ utf-8-string ++ ))) ++ ++ (if (ly:get-option 'safe) ++ commands ++ (append '(embedded-ps embedded-svg) ++ commands)) + )) + + ;; TODO: +-- +1.9.1 + diff --git a/media-sound/lilypond/lilypond-2.21.4.ebuild b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild similarity index 95% copy from media-sound/lilypond/lilypond-2.21.4.ebuild copy to media-sound/lilypond/lilypond-2.21.1-r1.ebuild index 3aa63a51f18..1f1e8202a99 100644 --- a/media-sound/lilypond/lilypond-2.21.4.ebuild +++ b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{6,7,8,9} ) +PYTHON_COMPAT=( python3_{6,7,8} ) inherit elisp-common autotools python-single-r1 toolchain-funcs xdg-utils @@ -54,7 +54,8 @@ DEPEND="${RDEPEND} RESTRICT="test" PATCHES=( - "${FILESDIR}"/${PN}-2.21.1-fix-font-size.patch + "${FILESDIR}"/${P}-fix-font-size.patch + "${FILESDIR}"/${PN}-fix-cve-2020-17353.patch ) DOCS=( DEDICATION HACKING README.txt ROADMAP ) diff --git a/media-sound/lilypond/lilypond-2.21.4.ebuild b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild similarity index 98% rename from media-sound/lilypond/lilypond-2.21.4.ebuild rename to media-sound/lilypond/lilypond-2.21.4-r1.ebuild index 3aa63a51f18..0196e4c7d4d 100644 --- a/media-sound/lilypond/lilypond-2.21.4.ebuild +++ b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild @@ -55,6 +55,7 @@ RESTRICT="test" PATCHES=( "${FILESDIR}"/${PN}-2.21.1-fix-font-size.patch + "${FILESDIR}"/${PN}-fix-cve-2020-17353.patch ) DOCS=( DEDICATION HACKING README.txt ROADMAP )
