Page MenuHomePhabricator
Create Task
Maniphest T258547

LilyPond allows arbitrary PostScript and does not use -dSAFER (CVE-2020-17353)
Closed, ResolvedPublicSecurity
Actions

Description

As noted by @faidon in T257062, LilyPond allows arbitrary PostScript to be added to the intermediate output. When PNG output is requested, this arbitrary PostScript is passed to GhostScript without -dSAFER. So arbitrary read/write/execute is allowed, even when LilyPond is run with -dsafe.

I've confirmed that the issue is present in LilyPond 2.18, but not in 2.20. It regressed again in the 2.21 unstable branch.

I reported it upstream by email yesterday, and they immediately responded with a proposed patch that disables the PostScript injection feature when safe mode is active. It is unclear whether they plan on backporting it to 2.18 but they have agreed that it is a security issue and have asked for discretion pending a release.

WMF production is not currently affected. There will be a workaround in the Score extension, which I think we should announce as an urgent security update for third-party Score users. The vulnerability trivially allows arbitrary execution via wikitext in the default configuration of the Score extension, so it is of high severity.

The workaround will probably be to run LilyPond with --ps, requesting PostScript output, which MediaWiki will convert to PNG by separately running gs -dSAFER.

Related Objects
Search...

Event Timeline

tstarling triaged this task as High priority.Jul 22 2020, 1:06 AM
tstarling created this task.
MoritzMuehlenhoff added a comment.Jul 22 2020, 12:26 PM

I'll get that fixed in 2.18 as shipped in Debian Buster (Stretch lacks a Lilypond package due to Guile bugs which prevented it from entering the release) when upstream considers the issue public (and will also request a CVE)

tstarling added a comment.Jul 23 2020, 6:09 AM

The workaround will probably be to run LilyPond with --ps, requesting PostScript output, which MediaWiki will convert to PNG by separately running gs -dSAFER.

To simplify review and deployment, I uploaded that as a public change at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Score/+/615594 , but without pointing out that it is a security issue and without linking to this bug. We'll announce what it's actually for when everyone's ready.

MoritzMuehlenhoff added a comment.Jul 27 2020, 6:43 AM

This is now public: http://git.savannah.gnu.org/gitweb/?p=lilypond.git;a=commit;h=b84ea4740f3279516905c5db05f4074e777c16ff

sbassett moved this task from Incoming to Watching on the Security-Team board.Jul 27 2020, 3:09 PM
Legoktm merged a task: Restricted Task.Jul 28 2020, 7:07 AM
tstarling added a subscriber: Hanwenn.Jul 31 2020, 8:45 AM
dr0ptp4kt added a subscriber: brooke.Aug 3 2020, 8:42 PM
tstarling added a comment.Aug 5 2020, 6:27 AM

What is the CVE for this?

MoritzMuehlenhoff added a comment.Aug 5 2020, 7:10 AM

I haven't heard back, will ping the original "We've received your request" mail later.

MoritzMuehlenhoff added a comment.Aug 5 2020, 1:59 PM

This is CVE-2020-17353 (which covers both postscript and SVG)

MoritzMuehlenhoff renamed this task from LilyPond allows arbitrary PostScript and does not use -dSAFER to LilyPond allows arbitrary PostScript and does not use -dSAFER (CVE-2020-17353).Aug 5 2020, 1:59 PM
MoritzMuehlenhoff added a comment.Aug 5 2020, 8:31 PM

Given that the commit message is specific, MITRE directly made this one visible in the CVE feed: It's now at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17353

What are the upstream plans for commiting a fix for the other issue (T259210)? Ideally this one should not be too far away, so that distros can fix both in a single update.

tstarling added a comment.Aug 5 2020, 11:21 PM
In T258547#6364189, @MoritzMuehlenhoff wrote:

What are the upstream plans for commiting a fix for the other issue (T259210)? Ideally this one should not be too far away, so that distros can fix both in a single update.

I'll forward you the email thread.

tstarling mentioned this in T214021: Enable uploads for LilyPond (.ly) and ABC (.abc) files on Commons.Aug 16 2020, 11:35 PM
MoritzMuehlenhoff added a comment.Sep 15 2020, 11:01 AM

This specific task can be closed, right? It's fixed upstream, there was a DSA for Debian (https://lists.debian.org/debian-security-announce/2020/msg00163.html), it's fixed in our Lilypond stretch package and Score extension also applies the workaround with the intermediate step.

kaldari subscribed.Oct 21 2020, 5:14 PM

@tstarling - Anything left to do here or can this be closed?

Urbanecm subscribed.Nov 15 2020, 4:05 PM
In T258547#6569124, @kaldari wrote:

@tstarling - Anything left to do here or can this be closed?

Ping? :-)

hashar unsubscribed.Apr 28 2021, 8:29 AM
Legoktm closed this task as Resolved.Aug 9 2021, 11:13 PM
Legoktm assigned this task to faidon.
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Legoktm changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Aug 12 2021, 3:07 PM
BEANS-X2 subscribed.Aug 25 2021, 4:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits