openSUSE Security Update: Security update for abcm2ps ______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0100-1 Rating: moderate References: #1197355 Cross-References: CVE-2021-32434 CVE-2021-32435 CVE-2021-32436
CVSS scores: CVE-2021-32434 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-32435 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-32436 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products: openSUSE Backports SLE-15-SP3 ______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for abcm2ps fixes the following issues:
Update to 8.14.13:
* fix: don't start/stop slurs above/below decorations * fix: crash when too many notes in a grace note sequence (#102) * fix: crash when too big value in M: (#103) * fix: loop or crash when too big width of y (space) (#104) * fix: bad font definition with SVG output when spaces in font name * fix: bad check of note length again (#106) * fix: handle %%staffscale at the global level (#108) * fix: bad vertical offset of lyrics when mysic line starts with empty staves
Update to 8.14.12:
Fixes:
* crash when "%%break 1" and no measure bar in the tune * crash when duplicated voice ending on %%staves with repeat variant * crash when voice duplication with symbols without width * crash or bad output when null value in %%scale * problem when only bars in 2 voices followed %%staves of the second voice only * crash when tuplet error in grace note sequence * crash when grace note with empty tuplet * crash when many broken rhythms after a single grace note * access outside the deco array when error in U: * crash when !xstem! with no note in the previous voice * crash on tuplet without any note/rest * crash when grace notes at end of line and voice overlay * crash when !trem2! at start of a grace note sequence * crash when wrong duration in 2 voice overlays and bad ties * crash when accidental without a note at start of line after K: (CVE-2021-32435) * array overflow when wrong duration in voice overlay (CVE-2021-32434, CVE-2021-32436) * loss of left margin after first page since previous commit * no respect of %%leftmargin with -E or -g * bad placement of chord symbols when in a music line with only invisible rests
Syntax:
* Accept and remove one or two '%'s at start of all %%beginxxx lines
Generation:
* Move the CSS from XHTML to SVG
Update to 8.14.11:
* fix: error "'staffwidth' too small" when generating sample3.abc
Update to 8.14.10:
* fix: bad glyph when defined by SVG containing 'v' in * fix: bad check of note length since commit 191fa55 * fix: memory corruption when error in %%staves/%%score * fix: crash when too big note duration * fix: crash when staff width too small
Update to 8.14.9:
* fix: bad natural accidental when %%MIDI temperamentequal
Update to 8.14.8:
* fix: no respect the width in %%staffbreak * fix: don't draw a staff when only %%staffbreak inside * fix: bad repeat bracket when continued on next line, line starting by a bar * fix: bad tuplet bracket again when at end of a voice overlay sequence * fix: bad tuplet bracket when at end of a voice overlay sequence * handle '%%MIDI temperamentequal ' * accept '^1' and '_1' as microtone accidentals
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2022-100=1
Package List:
- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):
abcm2ps-8.14.13-bp153.2.3.1
References:
https://www.suse.com/security/cve/CVE-2021-32434.html https://www.suse.com/security/cve/CVE-2021-32435.html https://www.suse.com/security/cve/CVE-2021-32436.html https://bugzilla.suse.com/1197355
security-announce@lists.opensuse.org
-
opensuse-security@opensuse.org