Exploitable Windows installation Lyx 2.3.3 ImageMagick 7.0.7-27
xracoonx at gmx.de
Sat Nov 16 11:56:51 UTC 2019
On 15/11/19 18:27, Pavel Sanda wrote:
> On Fri, Nov 15, 2019 at 10:29:37AM -0500, John wrote:
>> Lyx for Windows installer 2.3.3-1 installs ImageMagick 7.0.7-27. This
>> version is subject to multiple buffer overflows (stack and heap) and
>> several other vulnerabilities, allowing remote code execution if the user
>> opens a LyX document incorporating a specially-crafted image.
>> Solution: Upgrade to ImageMagick 7.0.8-56 or newer in the LyX installer
> This is unfortunate consequence of windows packaging and it is true in long term
> that all bugs which are discovered in supporting packages (e.g. imagemagick/
> ghostscript) won't be quickly fixed. We unf do not have manpower to issue new
> installer just after next security bug appears in those packages.
> The good news is that 2.3.4 should be released rather soon with hopefully
> updated IM.
> What just come to my mind - couldn't some windows 10 user actually try to
> use their brand new linux subsystem, and install LyX via this system?
> If LyX was useful enough this way, we de facto solved packaging for windows
> and could replace our installation instructions on web.
> The security updates will simply start flow through normal distro channels
> without burdening us.
Just because some users might be able to do this doesn't mean that all
LyX users on Windows are able to. Using Linux and, in particular, via
the Linux Subsystem isn't something that comes easy for many Windows
users. The Linux Subsystem seems more like a tool for administrators.
More information about the lyx-devel