A number of safe mode escape vulnerabilities were discovered. One of them, tracked internally as T260225, was discovered by Han-Wen and has not been rectifiedafter two months.
I discussed a plan for rectifying it with Han-Wen, and suggested that we could contribute funding towards fixing it. However, I was not able to get approval for funding it. So the task remains open for volunteers to address. Of course, it is difficult to recruit volunteers when it is a private security issue. Han-Wen commented that the rectification we discussed would require a major version bump to 3.0. I don't consider that to be a blocker. I think security hardening would make a good headline improvement for a 3.0 release. I would estimate it as approximately one week of work. If you're willing to put that kind of time in, I can forward you the previous communications on this issue. -- Tim Starling On 16/10/20 10:46 am, Étienne Beaulé wrote: > Hello, I’m the maintainer of the Score extension. > > There is also https://nvd.nist.gov/vuln/detail/CVE-2020-17353 which > affects LilyPond through PostScript code injection. We’ve also done > a security audit. I’ve CC’d Tim Starling who performed the audit to > this thread, and he’s be in a better position to responsibly > disclose problems. > > We hope to get LilyPond back on the Wikis, and that vulnerabilities > get fixed well for a safer LilyPond! > > Étienne > >> Le 15 oct. 2020 à 19:05, Carl Sorensen <[email protected] >> <mailto:[email protected]>> a écrit : >> >> Unfortunately, there's not enough information on that thread to >> understand what the issues are. >> >> I know that in the past there have been significant security >> concerns which had a core concern related to Guile programming, >> since Guile is a turing-complete language. >> >> I don't know how we can contribute until we are made aware of the >> challenges here. >> >> Carl >> >> >> On 10/15/20, 4:14 PM, "lilypond-devel on behalf of Daniel Benjamin >> Miller" >> <[email protected] >> <mailto:[email protected]> >> on behalf of [email protected] <mailto:[email protected]>> >> wrote: >> >> Not of direct relevance to us as end users, but can someone shed light >> on this and/or resolve the concern of the Wikimedia people? In the >> meantime Lilypond support has been disabled on Wikipedia. >> https://phabricator.wikimedia.org/T257066 >> >> >> >
