[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LilyPond disabled on Wikimedia

From: Carl Sorensen
Subject: Re: LilyPond disabled on Wikimedia
Date: Fri, 16 Oct 2020 01:31:57 +0000
User-agent: Microsoft-MacOutlook/10.10.1a.200914

Unfortunately, I’m not capable of handling this problem right now.

But it’s hard for me to imagine that something that would require a major 
version bump is only a week’s worth of work.  I’ve copied Han-Wen to try to 
understand more about why the change would require a major version bump.



From: Tim Starling <>
Date: Thursday, October 15, 2020 at 6:17 PM
To: Étienne Beaulé <>, Carl Sorensen 
Cc: Daniel Benjamin Miller <>, "" 
Subject: Re: LilyPond disabled on Wikimedia

A number of safe mode escape vulnerabilities were discovered. One of them, 
tracked internally as T260225, was discovered by Han-Wen and has not been 
rectified after two months.

I discussed a plan for rectifying it with Han-Wen, and suggested that we could 
contribute funding towards fixing it. However, I was not able to get approval 
for funding it. So the task remains open for volunteers to address. Of course, 
it is difficult to recruit volunteers when it is a private security issue.

Han-Wen commented that the rectification we discussed would require a major 
version bump to 3.0. I don't consider that to be a blocker. I think security 
hardening would make a good headline improvement for a 3.0 release.

I would estimate it as approximately one week of work. If you're willing to put 
that kind of time in, I can forward you the previous communications on this 

-- Tim Starling

On 16/10/20 10:46 am, Étienne Beaulé wrote:
Hello, I’m the maintainer of the Score extension.

There is also which affects 
LilyPond through PostScript code injection. We’ve also done a security audit. 
I’ve CC’d Tim Starling who performed the audit to this thread, and he’s be in a 
better position to responsibly disclose problems.

We hope to get LilyPond back on the Wikis, and that vulnerabilities get fixed 
well for a safer LilyPond!


Le 15 oct. 2020 à 19:05, Carl Sorensen 
<<>> a écrit :

Unfortunately, there's not enough information on that thread to understand what 
the issues are.

I know that in the past there have been significant security concerns which had 
a core concern related to Guile programming, since Guile is a turing-complete 

I don't know how we can contribute until we are made aware of the challenges 


On 10/15/20, 4:14 PM, "lilypond-devel on behalf of Daniel Benjamin Miller" 
 on behalf of<>> wrote:

Not of direct relevance to us as end users, but can someone shed light
on this and/or resolve the concern of the Wikimedia people? In the
meantime Lilypond support has been disabled on Wikipedia.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]