SUSE: CVE-2018-10992: SUSE Linux Security Advisory
Description
lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.
Solution(s)
- suse-upgrade-lilypond
- suse-upgrade-lilypond-century-schoolbook-l-fonts
- suse-upgrade-lilypond-debuginfo
- suse-upgrade-lilypond-debugsource
- suse-upgrade-lilypond-doc
- suse-upgrade-lilypond-doc-cs
- suse-upgrade-lilypond-doc-de
- suse-upgrade-lilypond-doc-es
- suse-upgrade-lilypond-doc-fr
- suse-upgrade-lilypond-doc-hu
- suse-upgrade-lilypond-doc-it
- suse-upgrade-lilypond-doc-ja
- suse-upgrade-lilypond-doc-nl
- suse-upgrade-lilypond-doc-zh
- suse-upgrade-lilypond-emmentaler-fonts
- suse-upgrade-lilypond-fonts-common
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center