media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

From b84ea4740f3279516905c5db05f4074e777c16ff Mon Sep 17 00:00:00 2001
From: Han-Wen Nienhuys <hanwenn@gmail.com>
Date: Tue, 21 Jul 2020 14:45:08 +0200
Subject: [PATCH] scm: disable embedded-ps and embedded-svg in -dsafe mode

This prevents executing privileged PostScript and exploiting
Ghostscript vulnerablilities

Tested:
 $ lilypond -dsafe input/regression/les-nereides.ly
 (works, kinda)

 $ cat f.ly
 { c4_ \markup \postscript #" (x) show " }

 $ lilypond -dsafe f
 Preprocessing graphical objects.../home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: In procedure ly_make_stencil in expression (ly:make-stencil (list # #) (quote #) ...):
  /home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps "
---
 scm/define-stencil-commands.scm | 65 ++++++++++++++++++++++-------------------
 1 file changed, 35 insertions(+), 30 deletions(-)

diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm
index 09a2299..e388788 100644
--- a/scm/define-stencil-commands.scm
+++ b/scm/define-stencil-commands.scm
@@ -21,36 +21,41 @@
 (define-public (ly:all-stencil-commands)
   "Return the list of stencil commands that can be
 defined in the output modules (@file{output-*.scm})."
-  '(blank
-    char
-    circle
-    dashed-line
-    draw-line
-    ellipse
-    embedded-ps
-    embedded-svg
-    end-group-node
-    glyph-string
-    grob-cause
-    named-glyph
-    no-origin
-    page-link
-    path
-    partial-ellipse
-    placebox
-    polygon
-    resetcolor
-    resetrotation
-    resetscale
-    round-filled-box
-    setcolor
-    setrotation
-    setscale
-    start-group-node
-    text
-    unknown
-    url-link
-    utf-8-string
+  (let*
+      ((commands '(blank
+                   char
+                   circle
+                   dashed-line
+                   draw-line
+                   ellipse
+                   end-group-node
+                   glyph-string
+                   grob-cause
+                   named-glyph
+                   no-origin
+                   page-link
+                   path
+                   partial-ellipse
+                   placebox
+                   polygon
+                   resetcolor
+                   resetrotation
+                   resetscale
+                   round-filled-box
+                   setcolor
+                   setrotation
+                   setscale
+                   start-group-node
+                   text
+                   unknown
+                   url-link
+                   utf-8-string
+                   )))
+
+    (if (ly:get-option 'safe)
+        commands
+        (append '(embedded-ps embedded-svg)
+                commands))
     ))
 
 ;; TODO:
-- 
1.9.1