{"id":"MGASA-2023-0325","summary":"Updated lilypond packages fix a security vulnerability","details":"Updated lilypond packages fix a security vulnerability:\n\nLilyPond before 2.24 allows attackers to bypass the -dsafe protection\nmechanism via output-def-lookup or output-def-scope, as demonstrated by\ndangerous Scheme code in a .ly file that causes arbitrary code execution\nduring conversion to a different file format. NOTE: in 2.24 and later\nversions, safe mode is removed, and the product no longer tries to block\ncode execution when external files are used.\n","modified":"2026-04-16T00:09:14.290445650Z","published":"2023-11-27T15:16:47Z","upstream":["CVE-2020-17354"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0325.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31889"}],"affected":[{"package":{"name":"lilypond","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/lilypond?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.24.2-2.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0325.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}