On 11/16/19 6:56 AM, Daniel wrote: > On 15/11/19 18:27, Pavel Sanda wrote: >> On Fri, Nov 15, 2019 at 10:29:37AM -0500, John wrote: >>> Lyx for Windows installer 2.3.3-1 installs ImageMagick 7.0.7-27. This >>> version is subject to multiple buffer overflows (stack and heap) and >>> several other vulnerabilities, allowing remote code execution if the >>> user >>> opens a LyX document incorporating a specially-crafted image. >>> >>> Solution: Upgrade to ImageMagick 7.0.8-56 or newer in the LyX >>> installer >>> package. >> >> This is unfortunate consequence of windows packaging and it is true >> in long term >> that all bugs which are discovered in supporting packages (e.g. >> imagemagick/ >> ghostscript) won't be quickly fixed. We unf do not have manpower to >> issue new >> installer just after next security bug appears in those packages. >> >> The good news is that 2.3.4 should be released rather soon with >> hopefully >> updated IM. >> >> >> What just come to my mind - couldn't some windows 10 user actually >> try to >> use their brand new linux subsystem, and install LyX via this system? >> If LyX was useful enough this way, we de facto solved packaging for >> windows >> and could replace our installation instructions on web. >> The security updates will simply start flow through normal distro >> channels >> without burdening us. >> >> Pavel > > > Just because some users might be able to do this doesn't mean that all > LyX users on Windows are able to. Using Linux and, in particular, via > the Linux Subsystem isn't something that comes easy for many Windows > users. The Linux Subsystem seems more like a tool for administrators.
Longer term, this might work. Right now, this looks pretty cutting edge. Who knows how long the Gods of Redmond will support it. I remember a long time ago that Apple once allowed other manufacturers to install their OS. Riki -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel