CVE-2020-17353
📋 TL;DR
This vulnerability in LilyPond allows arbitrary code execution when processing malicious music scores with embedded PostScript or SVG content, even when using the -dsafe security flag. Attackers can craft malicious files that execute arbitrary commands on the system. Users who process untrusted LilyPond files with affected versions are at risk.
💻 Affected Systems
- LilyPond
📦 What is this software?
Backports Sle by Opensuse
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Lilypond by Lilypond
Lilypond by Lilypond
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Local privilege escalation or arbitrary code execution when processing malicious LilyPond files from untrusted sources.
If Mitigated
Limited impact if systems only process trusted files and have proper sandboxing/isolation.
🎯 Exploit Status
Exploitation requires user interaction to process a malicious file. No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.20.1, 2.21.5, and later versions
Vendor Advisory: http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff
Restart Required: No
Instructions:
1. Update LilyPond to version 2.20.1 or 2.21.5 or later. 2. Use package manager: 'sudo apt update && sudo apt upgrade lilypond' (Debian/Ubuntu) or 'sudo yum update lilypond' (RHEL/CentOS). 3. For source installations, download and compile from official repository.
🔧 Temporary Workarounds
Disable embedded PostScript/SVG processing
allModify LilyPond configuration to block embedded PostScript and SVG commands
Edit scm/define-stencil-commands.scm to add restrictions on embedded-ps and embedded-svg
Sandbox LilyPond processing
linuxRun LilyPond in isolated containers or virtual machines when processing untrusted files
docker run --rm -v $(pwd):/data lilypond lilypond input.ly
Use bubblewrap or firejail for isolation
🧯 If You Can't Patch
- Only process LilyPond files from trusted sources and avoid opening untrusted .ly files
- Implement strict file upload validation in web applications to reject potentially malicious LilyPond files
🔍 How to Verify
Check if Vulnerable:
Check LilyPond version: 'lilypond --version' and verify if it's 2.20.0 or earlier, or 2.21.0-2.21.4Check Version:
lilypond --version | head -1Verify Fix Applied:
After update, run 'lilypond --version' and confirm version is 2.20.1, 2.21.5, or later📡 Detection & Monitoring
Log Indicators:
- Unusual LilyPond process execution patterns
- Errors related to embedded PostScript/SVG processing
Network Indicators:
- Outbound connections from LilyPond processes to unexpected destinations
SIEM Query:
process_name:"lilypond" AND (command_line:"-dsafe" OR parent_process:web_server)🔗 References
- http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00076.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2JYMVLTPSNYS5F7TBHKIXUZZJIJAMRX/
- https://www.debian.org/security/2020/dsa-4756
- http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00076.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2JYMVLTPSNYS5F7TBHKIXUZZJIJAMRX/
- https://www.debian.org/security/2020/dsa-4756
