Re: PATCHES - Countdown for December 12th

[Phil Holmes]

- Original Message - 
From: "David Kastrup" <d...@gnu.org>

To: "James Lowe" <pkx1...@runbox.com>
Cc: "lilypond-devel" <lilypond-devel@gnu.org>
Sent: Wednesday, December 13, 2017 6:16 PM
Subject: Re: PATCHES - Countdown for December 12th


"James Lowe" <pkx1...@runbox.com> writes:


Herr Petersen,

On Wed, 13 Dec 2017 14:53:58 +0100, Knut Petersen
<knut_peter...@t-online.de> wrote:


Am 12.12.2017 um 11:54 schrieb James Lowe:
> Hello,
>
> Here is the current patch countdown list. The next countdown will be on
> December 16th.

We still have a severe security hole in lilypond, and a patch is 
available.

See https://sourceforge.net/p/testlilyissues/issues/5243/


Yes I see a patch is available.



It would take only minutes to prepare a pdf that starts to recursively
wipe out the home directory of any user who opens that pdf in evince,
mupdf etc. if support for textedit links is installed as recommended
in our documentation. textedit links also might be embedded in html.


I don't doubt that your comments are valid, however looking at that
tracker thread and not being a developer I cannot tell if this was
still under discussion and it looked like, to my inexperienced eyes
anyway, that there was some dispute or reasoning that still needed
confirmation.

So, if this tracker is NOT supposed to be at 'needs_work' then by all
means set it back to review. However, to save more compilation
failures, can you rebase the patch to current master as it has been a
while since your patch was uploaded.

Then I can see what needs to be done.


I'll upload a different and more generic patch today that doesn't change
as much but sort-of opens a different can of worms.  But it would need
testing on Windows and I don't really know how to do that even
half-reliably.

--
David Kastrup


I think testing on Windows is all but impossible.  It would either need a 
Windows-only build done with a Gub machine - but this needs the patch to be 
in master - or a complete Gub build off a specific branch.


--
Phil Holmes 



___
lilypond-devel mailing list
lilypond-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/lilypond-devel

Re: PATCHES - Countdown for December 12th

[David Kastrup]

"James Lowe"  writes:

> Herr Petersen,
>
> On Wed, 13 Dec 2017 14:53:58 +0100, Knut Petersen
>  wrote:
>
>> Am 12.12.2017 um 11:54 schrieb James Lowe:
>> > Hello,
>> >
>> > Here is the current patch countdown list. The next countdown will be on
>> > December 16th.
>> 
>> We still have a severe security hole in lilypond, and a patch is available.
>> See https://sourceforge.net/p/testlilyissues/issues/5243/
>
> Yes I see a patch is available.
>
>> 
>> It would take only minutes to prepare a pdf that starts to recursively
>> wipe out the home directory of any user who opens that pdf in evince,
>> mupdf  etc.  if support for textedit links is installed as recommended
>> in our documentation. textedit links also might be embedded in html.
>
> I don't doubt that your comments are valid, however looking at that
> tracker thread and not being a developer I cannot tell if this was
> still under discussion and it looked like, to my inexperienced eyes
> anyway, that there was some dispute or reasoning that still needed
> confirmation.
>
> So, if this tracker is NOT supposed to be at 'needs_work' then by all
> means set it back to review. However, to save more compilation
> failures, can you rebase the patch to current master as it has been a
> while since your patch was uploaded.
>
> Then I can see what needs to be done.

I'll upload a different and more generic patch today that doesn't change
as much but sort-of opens a different can of worms.  But it would need
testing on Windows and I don't really know how to do that even
half-reliably.

-- 
David Kastrup

___
lilypond-devel mailing list
lilypond-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/lilypond-devel

Re: PATCHES - Countdown for December 12th

[James Lowe]

Herr Petersen,

On Wed, 13 Dec 2017 14:53:58 +0100, Knut Petersen  
wrote:

> Am 12.12.2017 um 11:54 schrieb James Lowe:
> > Hello,
> >
> > Here is the current patch countdown list. The next countdown will be on
> > December 16th.
> 
> We still have a severe security hole in lilypond, and a patch is available.
> See https://sourceforge.net/p/testlilyissues/issues/5243/

Yes I see a patch is available.

> 
> It would take only minutes to prepare a pdf that starts to recursively
> wipe out the home directory of any user who opens that pdf in evince,
> mupdf  etc.  if support for textedit links is installed as recommended
> in our documentation. textedit links also might be embedded in html.

I don't doubt that your comments are valid, however looking at that tracker 
thread and not being a developer I cannot tell if this was still under 
discussion and it looked like, to my inexperienced eyes anyway, that there was 
some dispute or reasoning that still needed confirmation.

So, if this tracker is NOT supposed to be at 'needs_work' then by all means set 
it back to review. However, to save more compilation failures, can you rebase 
the patch to current master as it has been a while since your patch was 
uploaded.

Then I can see what needs to be done.

Danke schoen

James 



___
lilypond-devel mailing list
lilypond-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/lilypond-devel

Re: PATCHES - Countdown for December 12th

[Knut Petersen]

Am 12.12.2017 um 11:54 schrieb James Lowe:

Hello,

Here is the current patch countdown list. The next countdown will be on
December 16th.


We still have a severe security hole in lilypond, and a patch is available.
See https://sourceforge.net/p/testlilyissues/issues/5243/

It would take only minutes to prepare a pdf that starts to recursively
wipe out the home directory of any user who opens that pdf in evince,
mupdf  etc.  if support for textedit links is installed as recommended
in our documentation. textedit links also might be embedded in html.

Knut

___
lilypond-devel mailing list
lilypond-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/lilypond-devel