[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LilyPond disabled on Wikimedia
|
From: |
Étienne Beaulé |
|
Subject: |
Re: LilyPond disabled on Wikimedia |
|
Date: |
Thu, 15 Oct 2020 19:46:55 -0400 |
Hello, I’m the maintainer of the Score extension.
There is also https://nvd.nist.gov/vuln/detail/CVE-2020-17353
<https://nvd.nist.gov/vuln/detail/CVE-2020-17353> which affects LilyPond
through PostScript code injection. We’ve also done a security audit. I’ve CC’d
Tim Starling who performed the audit to this thread, and he’s be in a better
position to responsibly disclose problems.
We hope to get LilyPond back on the Wikis, and that vulnerabilities get fixed
well for a safer LilyPond!
Étienne
> Le 15 oct. 2020 à 19:05, Carl Sorensen <c_sorensen@byu.edu> a écrit :
>
> Unfortunately, there's not enough information on that thread to understand
> what the issues are.
>
> I know that in the past there have been significant security concerns which
> had a core concern related to Guile programming, since Guile is a
> turing-complete language.
>
> I don't know how we can contribute until we are made aware of the challenges
> here.
>
> Carl
>
>
> On 10/15/20, 4:14 PM, "lilypond-devel on behalf of Daniel Benjamin Miller"
> <lilypond-devel-bounces+carl.d.sorensen+digest=gmail.com@gnu.org on behalf of
> dbmiller@dbmiller.org> wrote:
>
> Not of direct relevance to us as end users, but can someone shed light
> on this and/or resolve the concern of the Wikimedia people? In the
> meantime Lilypond support has been disabled on Wikipedia.
> https://phabricator.wikimedia.org/T257066
>
>
>