Hello community, here is the log from the commit of package lilypond for openSUSE:Factory checked in at 2020-08-07 14:08:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lilypond (Old) and /work/SRC/openSUSE:Factory/.lilypond.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lilypond" Fri Aug 7 14:08:53 2020 rev:30 rq:824690 version:2.20.0 Changes: -------- --- /work/SRC/openSUSE:Factory/lilypond/lilypond.changes 2020-05-08 23:08:16.102219741 +0200 +++ /work/SRC/openSUSE:Factory/.lilypond.new.3399/lilypond.changes 2020-08-07 14:09:49.614201262 +0200 @@ -1,0 +2,6 @@ +Thu Aug 6 09:19:51 UTC 2020 - Dave Plater <[email protected]> + +- Add patch from git to fix boo#1174949 - CVE-2020-17353: + 0001-scm-disable-embedded-ps-and-embedded-svg-in-dsafe-mo.patch + +------------------------------------------------------------------- New: ---- 0001-scm-disable-embedded-ps-and-embedded-svg-in-dsafe-mo.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lilypond-doc.spec ++++++ --- /var/tmp/diff_new_pack.RHwgyo/_old 2020-08-07 14:09:59.214184180 +0200 +++ /var/tmp/diff_new_pack.RHwgyo/_new 2020-08-07 14:09:59.218184173 +0200 @@ -57,12 +57,10 @@ BuildRequires: ghostscript >= 8.60 BuildRequires: ghostscript-fonts-other BuildRequires: ghostscript-fonts-std -BuildRequires: guile1 >= 1.8.2 BuildRequires: gzip BuildRequires: ifntjapa BuildRequires: liberation-fonts BuildRequires: libgnutls-devel -BuildRequires: libguile1-devel >= 1.8.2 BuildRequires: libtool BuildRequires: lilypond = %{version} BuildRequires: lndir @@ -89,6 +87,7 @@ BuildRequires: xfntjp BuildRequires: xorg-x11-fonts BuildRequires: zip +BuildRequires: pkgconfig(guile-1.8) BuildRequires: pkgconfig(python3) Requires: lilypond = %{version} Requires(pre): %{install_info_prereq} %{_bindir}/touch %{_bindir}/sed ++++++ lilypond.spec ++++++ --- /var/tmp/diff_new_pack.RHwgyo/_old 2020-08-07 14:09:59.234184144 +0200 +++ /var/tmp/diff_new_pack.RHwgyo/_new 2020-08-07 14:09:59.238184137 +0200 @@ -35,6 +35,7 @@ Patch2: add_dircategories_to_documentation.patch Patch3: Issue-5243-1-editor-scm-Add-shell-quote-argument-function.diff Patch4: use_cstring_and_ctype_includes.patch +Patch5: 0001-scm-disable-embedded-ps-and-embedded-svg-in-dsafe-mo.patch BuildRequires: ImageMagick BuildRequires: bison BuildRequires: dblatex @@ -47,10 +48,10 @@ BuildRequires: ghostscript >= 8.15 BuildRequires: ghostscript-fonts-other BuildRequires: ghostscript-fonts-std -BuildRequires: libguile1-devel >= 1.8 BuildRequires: makeinfo >= 6.1 BuildRequires: mftrace >= 1.1.19 BuildRequires: potrace-devel +BuildRequires: pkgconfig(guile-1.8) # Needed for pngtopnm BuildRequires: netpbm BuildRequires: pkgconfig ++++++ 0001-scm-disable-embedded-ps-and-embedded-svg-in-dsafe-mo.patch ++++++ >From b84ea4740f3279516905c5db05f4074e777c16ff Mon Sep 17 00:00:00 2001 From: Han-Wen Nienhuys <[email protected]> Date: Tue, 21 Jul 2020 14:45:08 +0200 Subject: [PATCH] scm: disable embedded-ps and embedded-svg in -dsafe mode This prevents executing privileged PostScript and exploiting Ghostscript vulnerablilities Tested: $ lilypond -dsafe input/regression/les-nereides.ly (works, kinda) $ cat f.ly { c4_ \markup \postscript #" (x) show " } $ lilypond -dsafe f Preprocessing graphical objects.../home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: In procedure ly_make_stencil in expression (ly:make-stencil (list # #) (quote #) ...): /home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps " --- scm/define-stencil-commands.scm | 65 ++++++++++++++++++--------------- 1 file changed, 35 insertions(+), 30 deletions(-) diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm index 09a2299eda..e38878832a 100644 --- a/scm/define-stencil-commands.scm +++ b/scm/define-stencil-commands.scm @@ -21,36 +21,41 @@ (define-public (ly:all-stencil-commands) "Return the list of stencil commands that can be defined in the output modules (@file{output-*.scm})." - '(blank - char - circle - dashed-line - draw-line - ellipse - embedded-ps - embedded-svg - end-group-node - glyph-string - grob-cause - named-glyph - no-origin - page-link - path - partial-ellipse - placebox - polygon - resetcolor - resetrotation - resetscale - round-filled-box - setcolor - setrotation - setscale - start-group-node - text - unknown - url-link - utf-8-string + (let* + ((commands '(blank + char + circle + dashed-line + draw-line + ellipse + end-group-node + glyph-string + grob-cause + named-glyph + no-origin + page-link + path + partial-ellipse + placebox + polygon + resetcolor + resetrotation + resetscale + round-filled-box + setcolor + setrotation + setscale + start-group-node + text + unknown + url-link + utf-8-string + ))) + + (if (ly:get-option 'safe) + commands + (append '(embedded-ps embedded-svg) + commands)) )) ;; TODO: -- 2.26.2
