1 |
commit: b643169012fae9013d509ef7fc19602450113b77 |
2 |
Author: Miroslav Šulc <fordfrog <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Aug 5 17:57:09 2020 +0000 |
4 |
Commit: Miroslav Šulc <fordfrog <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Aug 5 17:57:26 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6431690 |
7 |
|
8 |
media-sound/lilypond: fixed cve-2020-17353 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/736074 |
11 |
Package-Manager: Portage-3.0.1, Repoman-2.3.23 |
12 |
Signed-off-by: Miroslav Šulc <fordfrog <AT> gentoo.org> |
13 |
|
14 |
.../files/lilypond-fix-cve-2020-17353.patch | 101 +++++++++++++++++++++ |
15 |
...ond-2.21.4.ebuild => lilypond-2.21.1-r1.ebuild} | 5 +- |
16 |
...ond-2.21.4.ebuild => lilypond-2.21.4-r1.ebuild} | 1 + |
17 |
3 files changed, 105 insertions(+), 2 deletions(-) |
18 |
|
19 |
diff --git a/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch |
20 |
new file mode 100644 |
21 |
index 00000000000..e91947eae05 |
22 |
--- /dev/null |
23 |
+++ b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch |
24 |
@@ -0,0 +1,101 @@ |
25 |
+From b84ea4740f3279516905c5db05f4074e777c16ff Mon Sep 17 00:00:00 2001 |
26 |
+From: Han-Wen Nienhuys <hanwenn@×××××.com> |
27 |
+Date: Tue, 21 Jul 2020 14:45:08 +0200 |
28 |
+Subject: [PATCH] scm: disable embedded-ps and embedded-svg in -dsafe mode |
29 |
+ |
30 |
+This prevents executing privileged PostScript and exploiting |
31 |
+Ghostscript vulnerablilities |
32 |
+ |
33 |
+Tested: |
34 |
+ $ lilypond -dsafe input/regression/les-nereides.ly |
35 |
+ (works, kinda) |
36 |
+ |
37 |
+ $ cat f.ly |
38 |
+ { c4_ \markup \postscript #" (x) show " } |
39 |
+ |
40 |
+ $ lilypond -dsafe f |
41 |
+ Preprocessing graphical objects.../home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: In procedure ly_make_stencil in expression (ly:make-stencil (list # #) (quote #) ...): |
42 |
+ /home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps " |
43 |
+--- |
44 |
+ scm/define-stencil-commands.scm | 65 ++++++++++++++++++++++------------------- |
45 |
+ 1 file changed, 35 insertions(+), 30 deletions(-) |
46 |
+ |
47 |
+diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm |
48 |
+index 09a2299..e388788 100644 |
49 |
+--- a/scm/define-stencil-commands.scm |
50 |
++++ b/scm/define-stencil-commands.scm |
51 |
+@@ -21,36 +21,41 @@ |
52 |
+ (define-public (ly:all-stencil-commands) |
53 |
+ "Return the list of stencil commands that can be |
54 |
+ defined in the output modules (@file{output-*.scm})." |
55 |
+- '(blank |
56 |
+- char |
57 |
+- circle |
58 |
+- dashed-line |
59 |
+- draw-line |
60 |
+- ellipse |
61 |
+- embedded-ps |
62 |
+- embedded-svg |
63 |
+- end-group-node |
64 |
+- glyph-string |
65 |
+- grob-cause |
66 |
+- named-glyph |
67 |
+- no-origin |
68 |
+- page-link |
69 |
+- path |
70 |
+- partial-ellipse |
71 |
+- placebox |
72 |
+- polygon |
73 |
+- resetcolor |
74 |
+- resetrotation |
75 |
+- resetscale |
76 |
+- round-filled-box |
77 |
+- setcolor |
78 |
+- setrotation |
79 |
+- setscale |
80 |
+- start-group-node |
81 |
+- text |
82 |
+- unknown |
83 |
+- url-link |
84 |
+- utf-8-string |
85 |
++ (let* |
86 |
++ ((commands '(blank |
87 |
++ char |
88 |
++ circle |
89 |
++ dashed-line |
90 |
++ draw-line |
91 |
++ ellipse |
92 |
++ end-group-node |
93 |
++ glyph-string |
94 |
++ grob-cause |
95 |
++ named-glyph |
96 |
++ no-origin |
97 |
++ page-link |
98 |
++ path |
99 |
++ partial-ellipse |
100 |
++ placebox |
101 |
++ polygon |
102 |
++ resetcolor |
103 |
++ resetrotation |
104 |
++ resetscale |
105 |
++ round-filled-box |
106 |
++ setcolor |
107 |
++ setrotation |
108 |
++ setscale |
109 |
++ start-group-node |
110 |
++ text |
111 |
++ unknown |
112 |
++ url-link |
113 |
++ utf-8-string |
114 |
++ ))) |
115 |
++ |
116 |
++ (if (ly:get-option 'safe) |
117 |
++ commands |
118 |
++ (append '(embedded-ps embedded-svg) |
119 |
++ commands)) |
120 |
+ )) |
121 |
+ |
122 |
+ ;; TODO: |
123 |
+-- |
124 |
+1.9.1 |
125 |
+ |
126 |
|
127 |
diff --git a/media-sound/lilypond/lilypond-2.21.4.ebuild b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild |
128 |
similarity index 95% |
129 |
copy from media-sound/lilypond/lilypond-2.21.4.ebuild |
130 |
copy to media-sound/lilypond/lilypond-2.21.1-r1.ebuild |
131 |
index 3aa63a51f18..1f1e8202a99 100644 |
132 |
--- a/media-sound/lilypond/lilypond-2.21.4.ebuild |
133 |
+++ b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild |
134 |
@@ -2,7 +2,7 @@ |
135 |
# Distributed under the terms of the GNU General Public License v2 |
136 |
|
137 |
EAPI=7 |
138 |
-PYTHON_COMPAT=( python3_{6,7,8,9} ) |
139 |
+PYTHON_COMPAT=( python3_{6,7,8} ) |
140 |
|
141 |
inherit elisp-common autotools python-single-r1 toolchain-funcs xdg-utils |
142 |
|
143 |
@@ -54,7 +54,8 @@ DEPEND="${RDEPEND} |
144 |
RESTRICT="test" |
145 |
|
146 |
PATCHES=( |
147 |
- "${FILESDIR}"/${PN}-2.21.1-fix-font-size.patch |
148 |
+ "${FILESDIR}"/${P}-fix-font-size.patch |
149 |
+ "${FILESDIR}"/${PN}-fix-cve-2020-17353.patch |
150 |
) |
151 |
|
152 |
DOCS=( DEDICATION HACKING README.txt ROADMAP ) |
153 |
|
154 |
diff --git a/media-sound/lilypond/lilypond-2.21.4.ebuild b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild |
155 |
similarity index 98% |
156 |
rename from media-sound/lilypond/lilypond-2.21.4.ebuild |
157 |
rename to media-sound/lilypond/lilypond-2.21.4-r1.ebuild |
158 |
index 3aa63a51f18..0196e4c7d4d 100644 |
159 |
--- a/media-sound/lilypond/lilypond-2.21.4.ebuild |
160 |
+++ b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild |
161 |
@@ -55,6 +55,7 @@ RESTRICT="test" |
162 |
|
163 |
PATCHES=( |
164 |
"${FILESDIR}"/${PN}-2.21.1-fix-font-size.patch |
165 |
+ "${FILESDIR}"/${PN}-fix-cve-2020-17353.patch |
166 |
) |
167 |
|
168 |
DOCS=( DEDICATION HACKING README.txt ROADMAP ) |