[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LilyPond disabled on Wikimedia
|
From: |
Tim Starling |
|
Subject: |
Re: LilyPond disabled on Wikimedia |
|
Date: |
Fri, 16 Oct 2020 11:17:23 +1100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 |
A number of safe mode escape vulnerabilities were discovered. One of
them, tracked internally as T260225, was discovered by Han-Wen and has
not been rectifiedafter two months.
I discussed a plan for rectifying it with Han-Wen, and suggested that
we could contribute funding towards fixing it. However, I was not able
to get approval for funding it. So the task remains open for
volunteers to address. Of course, it is difficult to recruit
volunteers when it is a private security issue.
Han-Wen commented that the rectification we discussed would require a
major version bump to 3.0. I don't consider that to be a blocker. I
think security hardening would make a good headline improvement for a
3.0 release.
I would estimate it as approximately one week of work. If you're
willing to put that kind of time in, I can forward you the previous
communications on this issue.
-- Tim Starling
On 16/10/20 10:46 am, Étienne Beaulé wrote:
> Hello, I’m the maintainer of the Score extension.
>
> There is also https://nvd.nist.gov/vuln/detail/CVE-2020-17353 which
> affects LilyPond through PostScript code injection. We’ve also done
> a security audit. I’ve CC’d Tim Starling who performed the audit to
> this thread, and he’s be in a better position to responsibly
> disclose problems.
>
> We hope to get LilyPond back on the Wikis, and that vulnerabilities
> get fixed well for a safer LilyPond!
>
> Étienne
>
>> Le 15 oct. 2020 à 19:05, Carl Sorensen <c_sorensen@byu.edu
>> <mailto:c_sorensen@byu.edu>> a écrit :
>>
>> Unfortunately, there's not enough information on that thread to
>> understand what the issues are.
>>
>> I know that in the past there have been significant security
>> concerns which had a core concern related to Guile programming,
>> since Guile is a turing-complete language.
>>
>> I don't know how we can contribute until we are made aware of the
>> challenges here.
>>
>> Carl
>>
>>
>> On 10/15/20, 4:14 PM, "lilypond-devel on behalf of Daniel Benjamin
>> Miller"
>> <lilypond-devel-bounces+carl.d.sorensen+digest=gmail.com@gnu.org
>> <mailto:lilypond-devel-bounces+carl.d.sorensen+digest=gmail.com@gnu.org>
>> on behalf of dbmiller@dbmiller.org <mailto:dbmiller@dbmiller.org>>
>> wrote:
>>
>> Not of direct relevance to us as end users, but can someone shed light
>> on this and/or resolve the concern of the Wikimedia people? In the
>> meantime Lilypond support has been disabled on Wikipedia.
>> https://phabricator.wikimedia.org/T257066
>>
>>
>>
>