Backports codestreams still affected:
- openSUSE:Backports:SLE-15-SP4
- openSUSE:Backports:SLE-15-SP5

Backports codestreams still affected:
- openSUSE:Backports:SLE-15-SP4
- openSUSE:Backports:SLE-15-SP5

I found a series of 14 patches to remove safe mode at commit:
b7e9878e84a209acf7d9244bdb1017b59a2e284c in lilypond git.
Am I right in assuming that these will fix this issue?

(In reply to Dave Plater from comment #3)
> I found a series of 14 patches to remove safe mode at commit:
> b7e9878e84a209acf7d9244bdb1017b59a2e284c in lilypond git.
> Am I right in assuming that these will fix this issue?

Yes, basically the 14 commits from MR#1522 will fix the issue

Can lilypond 2.24.1, which is a stable release as opposed to experimental 2.23.x series, from Factory be used in openSUSE:Backports:SLE-15-SP5 to solve this bug.

The patches to fix this in 2.23.3, which are from post 2.23.11 are proving difficult to apply due to the development that has already taken place in git

The problem to get lilypond 2.24 into 15.5 is the version of guile, lilypond 2.24 buildrequires guile-3, however Leap 15.5 has guile-2 from SLE, and unfortunate guile isn't a case we can whitelist it in Backports because guile-2 from SLE is still released in SLE products, and was maintained. In case we fork guile-3 to Leap project(not in Backports project) that would breaks other guile matter packages since they worked with guile-2 but not guile-3.

IMO unless we can get rid of guile in lilypond 2.24 build, or switch lilypond to use guile-2 on Leap/Backports(if that's possible, haven't look into lilypond configure script), other than that we might indeed have to add backport patches to lilypond 2.23...

(In reply to Max Lin from comment #6)
> The problem to get lilypond 2.24 into 15.5 is the version of guile, lilypond
> 2.24 buildrequires guile-3, however Leap 15.5 has guile-2 from SLE, and
> unfortunate guile isn't a case we can whitelist it in Backports because
> guile-2 from SLE is still released in SLE products, and was maintained. In
> case we fork guile-3 to Leap project(not in Backports project) that would
> breaks other guile matter packages since they worked with guile-2 but not
> guile-3.
> 
> IMO unless we can get rid of guile in lilypond 2.24 build, or switch
> lilypond to use guile-2 on Leap/Backports(if that's possible, haven't look
> into lilypond configure script), other than that we might indeed have to add
> backport patches to lilypond 2.23...

I've realized  what the problem is the guile2 versions available are not new enough for lilypond 2.24.x

I'll carry on fixing the patches

I apologise for the time being taken for this issue. I'm at a point where the 3 most important patches from git are unable to apply due to so many other changes and after spending a few days trying am unable to fix this. Further, I'm unable to update to 2.23.12 because of the requirement for guile > 2.2.
I don't have time available to finish this, I attempted the update this morning but was disappointed to find the guile restriction prevented this.
I need help.
I can update guile1 or guile to > 2.2 which would enable the current stable release version of lilypond 2.24.1. The odd minor versions are development versions and the even minor versions are releases.

Another solution for guile > 2 can be to fork guile(ver. 3.x) from Factory and rename it to *guile3*, and make sure the generated binary RPMs has not conflicting with guile package's binary RPMs, like resulting libguile3-*, guile3-devel, etc. instead of guile-devel and others, this should passing SLE package checker in rpmlint-backports, the similar package fork has been done in guile1 IIRC as we do had guile(provding version 1.x above) and guile1 both exist in Factory. Eventually we'll get guile from SLE(version 2.x), guile1 from Backports(version 1.x), and guile3 from Backports(version 3.x) as the new added one.

(In reply to Max Lin from comment #9)
> Another solution for guile > 2 can be to fork guile(ver. 3.x) from Factory
> and rename it to *guile3*, and make sure the generated binary RPMs has not
> conflicting with guile package's binary RPMs, like resulting libguile3-*,
> guile3-devel, etc. instead of guile-devel and others, this should passing
> SLE package checker in rpmlint-backports, the similar package fork has been
> done in guile1 IIRC as we do had guile(provding version 1.x above) and
> guile1 both exist in Factory. Eventually we'll get guile from SLE(version
> 2.x), guile1 from Backports(version 1.x), and guile3 from Backports(version
> 3.x) as the new added one.

Guile1 is an obsolete package, I created it for lilypond exclusively and now it's no longer needed the package will be deleted. The simplest solution for me is a guile3 package and lilypond 2.24.1, what I'm not sure of is how to introduce a new package to SLE. If allowed I can update guile1 to >2.2 or 3
What thoughts?

Created mr#1087407 with guile1 updated to the last 2.2 version in factory and lilypond 2.24.1
If everything is in order I will submit to openSUSE:Backports:SLE-15-SP5 as well.

This is an autogenerated message for OBS integration:
This bug (1210502) was mentioned in
https://build.opensuse.org/request/show/1087529 Backports:SLE-15-SP4 / guile1+lilypond

This is an autogenerated message for OBS integration:
This bug (1210502) was mentioned in
https://build.opensuse.org/request/show/1088045 Backports:SLE-15-SP4 / guile1+lilypond

I'm unable to submit the update to openSUSE:Backports:SLE-15-SP5 due to this error:
> osc mr -m "Update lilypond and guile1 to fix boo#1210502 - CVE-2020-17354"
Using target project 'openSUSE:Maintenance'
Server returned an error: HTTP Error 400: Bad Request
Maintenance incident request contains release target project openSUSE:Backports:SLE-15-SP5 with invalid project kind "standard" (should be "maintenance_release") for package guile1.openSUSE_Backports_SLE-15-SP5

(In reply to Dave Plater from comment #14)
> I'm unable to submit the update to openSUSE:Backports:SLE-15-SP5 due to this
> error:
> > osc mr -m "Update lilypond and guile1 to fix boo#1210502 - CVE-2020-17354"
> Using target project 'openSUSE:Maintenance'
> Server returned an error: HTTP Error 400: Bad Request
> Maintenance incident request contains release target project
> openSUSE:Backports:SLE-15-SP5 with invalid project kind "standard" (should
> be "maintenance_release") for package guile1.openSUSE_Backports_SLE-15-SP5

I think that because openSUSE:Backports:SLE-15-SP5 project is not yet locked and the OBS:UpdateProject was not there prior to Leap 15.5 released, could you please try `osc sr YOUR_BRANCH lilypond.openSUSE_Backports_SLE-15-SP4_Update openSUSE:Backports:SLE-15-SP5 lilypond` instead? and the same for guile1

(In reply to Max Lin from comment #15)
> 
> I think that because openSUSE:Backports:SLE-15-SP5 project is not yet locked
> and the OBS:UpdateProject was not there prior to Leap 15.5 released, could
> you please try `osc sr YOUR_BRANCH
> lilypond.openSUSE_Backports_SLE-15-SP4_Update openSUSE:Backports:SLE-15-SP5
> lilypond` instead? and the same for guile1

I've tried all combinations for osc bco -M and I cannot submit anything maintenance. Just plain osc branch openSUSE:Backports:SLE-15-SP5 lilypond and guile then plain osc sr is the only method that works. 
The Backports:SLE-15-SP4:Update succeeded via the maintenance route.
SLE-15-SP4:Update is multiple maintenance request sr#1088045

Backports:SLE-15-SP5 has:
lilypond sr#1088330
guile1   sr#1088329

This is an autogenerated message for OBS integration:
This bug (1210502) was mentioned in
https://build.opensuse.org/request/show/1088329 Backports:SLE-15-SP5 / guile1
https://build.opensuse.org/request/show/1088330 Backports:SLE-15-SP5 / lilypond

openSUSE-SU-2023:0137-1: An update that fixes two vulnerabilities is now available.\n\nCategory: security (important)\nBug References: 1210502\nCVE References: CVE-2016-8605,CVE-2020-17354\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    guile1-2.2.6-bp154.3.3.1, lilypond-2.24.1-bp154.2.3.2\n\n

Fixed