On 15/11/19 18:27, Pavel Sanda wrote:
On Fri, Nov 15, 2019 at 10:29:37AM -0500, John wrote:
Lyx for Windows installer 2.3.3-1 installs ImageMagick 7.0.7-27. This
version is subject to multiple buffer overflows (stack and heap) and
several other vulnerabilities, allowing remote code execution if the user
opens a LyX document incorporating a specially-crafted image.
Solution: Upgrade to ImageMagick 7.0.8-56 or newer in the LyX installer
package.
This is unfortunate consequence of windows packaging and it is true in long term
that all bugs which are discovered in supporting packages (e.g. imagemagick/
ghostscript) won't be quickly fixed. We unf do not have manpower to issue new
installer just after next security bug appears in those packages.
The good news is that 2.3.4 should be released rather soon with hopefully
updated IM.
What just come to my mind - couldn't some windows 10 user actually try to
use their brand new linux subsystem, and install LyX via this system?
If LyX was useful enough this way, we de facto solved packaging for windows
and could replace our installation instructions on web.
The security updates will simply start flow through normal distro channels
without burdening us.
Pavel
Just because some users might be able to do this doesn't mean that all
LyX users on Windows are able to. Using Linux and, in particular, via
the Linux Subsystem isn't something that comes easy for many Windows
users. The Linux Subsystem seems more like a tool for administrators.
Daniel
--
lyx-devel mailing list
lyx-devel@lists.lyx.org
http://lists.lyx.org/mailman/listinfo/lyx-devel
