[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LilyPond disabled on Wikimedia
From: |
Carl Sorensen |
Subject: |
Re: LilyPond disabled on Wikimedia |
Date: |
Fri, 16 Oct 2020 01:31:57 +0000 |
User-agent: |
Microsoft-MacOutlook/10.10.1a.200914 |
Unfortunately, I’m not capable of handling this problem right now.
But it’s hard for me to imagine that something that would require a major
version bump is only a week’s worth of work. I’ve copied Han-Wen to try to
understand more about why the change would require a major version bump.
Thanks,
Carl
From: Tim Starling <tstarling@wikimedia.org>
Date: Thursday, October 15, 2020 at 6:17 PM
To: Étienne Beaulé <beauleetienne0@gmail.com>, Carl Sorensen
<c_sorensen@byu.edu>
Cc: Daniel Benjamin Miller <dbmiller@dbmiller.org>, "lilypond-devel@gnu.org"
<lilypond-devel@gnu.org>
Subject: Re: LilyPond disabled on Wikimedia
A number of safe mode escape vulnerabilities were discovered. One of them,
tracked internally as T260225, was discovered by Han-Wen and has not been
rectified after two months.
I discussed a plan for rectifying it with Han-Wen, and suggested that we could
contribute funding towards fixing it. However, I was not able to get approval
for funding it. So the task remains open for volunteers to address. Of course,
it is difficult to recruit volunteers when it is a private security issue.
Han-Wen commented that the rectification we discussed would require a major
version bump to 3.0. I don't consider that to be a blocker. I think security
hardening would make a good headline improvement for a 3.0 release.
I would estimate it as approximately one week of work. If you're willing to put
that kind of time in, I can forward you the previous communications on this
issue.
-- Tim Starling
On 16/10/20 10:46 am, Étienne Beaulé wrote:
Hello, I’m the maintainer of the Score extension.
There is also https://nvd.nist.gov/vuln/detail/CVE-2020-17353 which affects
LilyPond through PostScript code injection. We’ve also done a security audit.
I’ve CC’d Tim Starling who performed the audit to this thread, and he’s be in a
better position to responsibly disclose problems.
We hope to get LilyPond back on the Wikis, and that vulnerabilities get fixed
well for a safer LilyPond!
Étienne
Le 15 oct. 2020 à 19:05, Carl Sorensen
<c_sorensen@byu.edu<mailto:c_sorensen@byu.edu>> a écrit :
Unfortunately, there's not enough information on that thread to understand what
the issues are.
I know that in the past there have been significant security concerns which had
a core concern related to Guile programming, since Guile is a turing-complete
language.
I don't know how we can contribute until we are made aware of the challenges
here.
Carl
On 10/15/20, 4:14 PM, "lilypond-devel on behalf of Daniel Benjamin Miller"
<lilypond-devel-bounces+carl.d.sorensen+digest=gmail.com@gnu.org<mailto:lilypond-devel-bounces+carl.d.sorensen+digest=gmail.com@gnu.org>
on behalf of dbmiller@dbmiller.org<mailto:dbmiller@dbmiller.org>> wrote:
Not of direct relevance to us as end users, but can someone shed light
on this and/or resolve the concern of the Wikimedia people? In the
meantime Lilypond support has been disabled on Wikipedia.
https://phabricator.wikimedia.org/T257066