[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LilyPond disabled on Wikimedia

From: Tim Starling
Subject: Re: LilyPond disabled on Wikimedia
Date: Fri, 16 Oct 2020 11:17:23 +1100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0

A number of safe mode escape vulnerabilities were discovered. One of
them, tracked internally as T260225, was discovered by Han-Wen and has
not been rectifiedafter two months.

I discussed a plan for rectifying it with Han-Wen, and suggested that
we could contribute funding towards fixing it. However, I was not able
to get approval for funding it. So the task remains open for
volunteers to address. Of course, it is difficult to recruit
volunteers when it is a private security issue.

Han-Wen commented that the rectification we discussed would require a
major version bump to 3.0. I don't consider that to be a blocker. I
think security hardening would make a good headline improvement for a
3.0 release.

I would estimate it as approximately one week of work. If you're
willing to put that kind of time in, I can forward you the previous
communications on this issue.

-- Tim Starling

On 16/10/20 10:46 am, Étienne Beaulé wrote:
> Hello, I’m the maintainer of the Score extension.
> There is also which
> affects LilyPond through PostScript code injection. We’ve also done
> a security audit. I’ve CC’d Tim Starling who performed the audit to
> this thread, and he’s be in a better position to responsibly
> disclose problems.
> We hope to get LilyPond back on the Wikis, and that vulnerabilities
> get fixed well for a safer LilyPond!
> Étienne
>> Le 15 oct. 2020 à 19:05, Carl Sorensen <
>> <>> a écrit :
>> Unfortunately, there's not enough information on that thread to
>> understand what the issues are.
>> I know that in the past there have been significant security
>> concerns which had a core concern related to Guile programming,
>> since Guile is a turing-complete language.
>> I don't know how we can contribute until we are made aware of the
>> challenges here.
>> Carl
>> On 10/15/20, 4:14 PM, "lilypond-devel on behalf of Daniel Benjamin
>> Miller"
>> <
>> <>
>> on behalf of <>>
>> wrote:
>> Not of direct relevance to us as end users, but can someone shed light
>> on this and/or resolve the concern of the Wikimedia people? In the
>> meantime Lilypond support has been disabled on Wikipedia.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]