Exploitable Windows installation Lyx 2.3.3 ImageMagick 7.0.7-27

Pavel Sanda sanda at lyx.org
Fri Nov 15 17:27:27 UTC 2019

On Fri, Nov 15, 2019 at 10:29:37AM -0500, John wrote:
> Lyx for Windows installer 2.3.3-1 installs ImageMagick 7.0.7-27.  This
> version is subject to multiple buffer overflows (stack and heap) and
> several other vulnerabilities, allowing remote code execution if the user
> opens a LyX document incorporating a specially-crafted image.
> Solution:  Upgrade to ImageMagick 7.0.8-56 or newer in the LyX installer
> package.

This is unfortunate consequence of windows packaging and it is true in long term
that all bugs which are discovered in supporting packages (e.g. imagemagick/
ghostscript) won't be quickly fixed. We unf do not have manpower to issue new
installer just after next security bug appears in those packages.

The good news is that 2.3.4 should be released rather soon with hopefully
updated IM.

What just come to my mind - couldn't some windows 10 user actually try to
use their brand new linux subsystem, and install LyX via this system?
If LyX was useful enough this way, we de facto solved packaging for windows
and could replace our installation instructions on web.
The security updates will simply start flow through normal distro channels
without burdening us.


More information about the lyx-devel mailing list