SUSE 5149 Published by

An abcm2ps security update has been released for SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2022:0100-1: moderate: Security update for abcm2ps


openSUSE Security Update: Security update for abcm2ps
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:0100-1
Rating: moderate
References: #1197355
Cross-References: CVE-2021-32434 CVE-2021-32435 CVE-2021-32436

CVSS scores:
CVE-2021-32434 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-32435 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-32436 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for abcm2ps fixes the following issues:

Update to 8.14.13:

* fix: don't start/stop slurs above/below decorations
* fix: crash when too many notes in a grace note sequence (#102)
* fix: crash when too big value in M: (#103)
* fix: loop or crash when too big width of y (space) (#104)
* fix: bad font definition with SVG output when spaces in font name
* fix: bad check of note length again (#106)
* fix: handle %%staffscale at the global level (#108)
* fix: bad vertical offset of lyrics when mysic line starts with empty
staves

Update to 8.14.12:

Fixes:

* crash when "%%break 1" and no measure bar in the tune
* crash when duplicated voice ending on %%staves with repeat variant
* crash when voice duplication with symbols without width
* crash or bad output when null value in %%scale
* problem when only bars in 2 voices followed %%staves of the second voice
only
* crash when tuplet error in grace note sequence
* crash when grace note with empty tuplet
* crash when many broken rhythms after a single grace note
* access outside the deco array when error in U:
* crash when !xstem! with no note in the previous voice
* crash on tuplet without any note/rest
* crash when grace notes at end of line and voice overlay
* crash when !trem2! at start of a grace note sequence
* crash when wrong duration in 2 voice overlays and bad ties
* crash when accidental without a note at start of line after K:
(CVE-2021-32435)
* array overflow when wrong duration in voice overlay (CVE-2021-32434,
CVE-2021-32436)
* loss of left margin after first page since previous commit
* no respect of %%leftmargin with -E or -g
* bad placement of chord symbols when in a music line with only invisible
rests

Syntax:

* Accept and remove one or two '%'s at start of all %%beginxxx lines

Generation:

* Move the CSS from XHTML to SVG

Update to 8.14.11:

* fix: error "'staffwidth' too small" when generating sample3.abc

Update to 8.14.10:

* fix: bad glyph when defined by SVG containing 'v' in
* fix: bad check of note length since commit 191fa55
* fix: memory corruption when error in %%staves/%%score
* fix: crash when too big note duration
* fix: crash when staff width too small

Update to 8.14.9:

* fix: bad natural accidental when %%MIDI temperamentequal

Update to 8.14.8:

* fix: no respect the width in %%staffbreak
* fix: don't draw a staff when only %%staffbreak inside
* fix: bad repeat bracket when continued on next line, line starting by a
bar
* fix: bad tuplet bracket again when at end of a voice overlay sequence
* fix: bad tuplet bracket when at end of a voice overlay sequence
* handle '%%MIDI temperamentequal '
* accept '^1' and '_1' as microtone accidentals

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2022-100=1


Package List:

- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

abcm2ps-8.14.13-bp153.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2021-32434.html
  https://www.suse.com/security/cve/CVE-2021-32435.html
  https://www.suse.com/security/cve/CVE-2021-32436.html
  https://bugzilla.suse.com/1197355