Security update for guile1, lilypond SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2023:0137-1 Final 1 1 2023-06-27T15:41:48Z current 2023-06-27T15:41:48Z 2023-06-27T15:41:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for guile1, lilypond This update for guile1, lilypond fixes the following issues: guile1: - Add service file to download release from git excluding the directory with commercial non free files. - Update to version 2.2.6 to enable lilypond to be updated to 2.24.1 to fix boo#1210502 and CVE-2020-17354. lilypond: - Update to version lilypond-2.24.1 to fix boo#1210502 - CVE-2020-17354: lilypond: Lilypond allows attackers to bypass the -dsafe protection mechanism. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2023-137 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ROLJCNPWZ2G4IQWP7NQKXNBT2QR32K2A/ E-Mail link for openSUSE-SU-2023:0137-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1210502 SUSE Bug 1210502 https://www.suse.com/security/cve/CVE-2016-8605/ SUSE CVE CVE-2016-8605 page https://www.suse.com/security/cve/CVE-2020-17354/ SUSE CVE CVE-2020-17354 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 guile1-2.2.6-bp154.3.3.1 guile1-modules-2_2-2.2.6-bp154.3.3.1 libguile-2_2-1-2.2.6-bp154.3.3.1 libguile1-devel-2.2.6-bp154.3.3.1 lilypond-2.24.1-bp154.2.3.2 lilypond-doc-2.24.1-bp154.2.3.2 lilypond-doc-cs-2.24.1-bp154.2.3.2 lilypond-doc-de-2.24.1-bp154.2.3.2 lilypond-doc-es-2.24.1-bp154.2.3.2 lilypond-doc-fr-2.24.1-bp154.2.3.2 lilypond-doc-hu-2.24.1-bp154.2.3.2 lilypond-doc-it-2.24.1-bp154.2.3.2 lilypond-doc-ja-2.24.1-bp154.2.3.2 lilypond-doc-nl-2.24.1-bp154.2.3.2 lilypond-doc-zh-2.24.1-bp154.2.3.2 lilypond-emmentaler-fonts-2.24.1-bp154.2.3.2 lilypond-fonts-common-2.24.1-bp154.2.3.2 guile1-2.2.6-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 guile1-modules-2_2-2.2.6-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 libguile-2_2-1-2.2.6-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 libguile1-devel-2.2.6-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 lilypond-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-cs-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-de-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-es-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-fr-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-hu-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-it-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-ja-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-nl-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-doc-zh-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-emmentaler-fonts-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 lilypond-fonts-common-2.24.1-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 guile1-2.2.6-bp154.3.3.1 as a component of openSUSE Leap 15.4 guile1-modules-2_2-2.2.6-bp154.3.3.1 as a component of openSUSE Leap 15.4 libguile-2_2-1-2.2.6-bp154.3.3.1 as a component of openSUSE Leap 15.4 libguile1-devel-2.2.6-bp154.3.3.1 as a component of openSUSE Leap 15.4 lilypond-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-cs-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-de-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-es-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-fr-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-hu-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-it-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-ja-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-nl-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-doc-zh-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-emmentaler-fonts-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 lilypond-fonts-common-2.24.1-bp154.2.3.2 as a component of openSUSE Leap 15.4 The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected. CVE-2016-8605 SUSE Package Hub 15 SP4:guile1-2.2.6-bp154.3.3.1 SUSE Package Hub 15 SP4:guile1-modules-2_2-2.2.6-bp154.3.3.1 SUSE Package Hub 15 SP4:libguile-2_2-1-2.2.6-bp154.3.3.1 SUSE Package Hub 15 SP4:libguile1-devel-2.2.6-bp154.3.3.1 SUSE Package Hub 15 SP4:lilypond-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-cs-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-de-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-es-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-fr-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-hu-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-it-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-ja-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-nl-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-zh-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-emmentaler-fonts-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-fonts-common-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:guile1-2.2.6-bp154.3.3.1 openSUSE Leap 15.4:guile1-modules-2_2-2.2.6-bp154.3.3.1 openSUSE Leap 15.4:libguile-2_2-1-2.2.6-bp154.3.3.1 openSUSE Leap 15.4:libguile1-devel-2.2.6-bp154.3.3.1 openSUSE Leap 15.4:lilypond-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-cs-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-de-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-es-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-fr-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-hu-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-it-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-ja-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-nl-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-zh-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-emmentaler-fonts-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-fonts-common-2.24.1-bp154.2.3.2 low 3.2 AV:L/AC:L/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ROLJCNPWZ2G4IQWP7NQKXNBT2QR32K2A/ https://www.suse.com/security/cve/CVE-2016-8605.html CVE-2016-8605 https://bugzilla.suse.com/1004221 SUSE Bug 1004221 LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used. CVE-2020-17354 SUSE Package Hub 15 SP4:guile1-2.2.6-bp154.3.3.1 SUSE Package Hub 15 SP4:guile1-modules-2_2-2.2.6-bp154.3.3.1 SUSE Package Hub 15 SP4:libguile-2_2-1-2.2.6-bp154.3.3.1 SUSE Package Hub 15 SP4:libguile1-devel-2.2.6-bp154.3.3.1 SUSE Package Hub 15 SP4:lilypond-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-cs-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-de-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-es-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-fr-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-hu-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-it-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-ja-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-nl-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-doc-zh-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-emmentaler-fonts-2.24.1-bp154.2.3.2 SUSE Package Hub 15 SP4:lilypond-fonts-common-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:guile1-2.2.6-bp154.3.3.1 openSUSE Leap 15.4:guile1-modules-2_2-2.2.6-bp154.3.3.1 openSUSE Leap 15.4:libguile-2_2-1-2.2.6-bp154.3.3.1 openSUSE Leap 15.4:libguile1-devel-2.2.6-bp154.3.3.1 openSUSE Leap 15.4:lilypond-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-cs-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-de-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-es-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-fr-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-hu-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-it-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-ja-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-nl-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-doc-zh-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-emmentaler-fonts-2.24.1-bp154.2.3.2 openSUSE Leap 15.4:lilypond-fonts-common-2.24.1-bp154.2.3.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ROLJCNPWZ2G4IQWP7NQKXNBT2QR32K2A/ https://www.suse.com/security/cve/CVE-2020-17354.html CVE-2020-17354 https://bugzilla.suse.com/1210502 SUSE Bug 1210502