Exploitable Windows installation Lyx 2.3.3 ImageMagick 7.0.7-27

Richard Kimberly Heck rikiheck at lyx.org
Sat Nov 16 18:13:53 UTC 2019


On 11/15/19 12:27 PM, Pavel Sanda wrote:
> On Fri, Nov 15, 2019 at 10:29:37AM -0500, John wrote:
>> Lyx for Windows installer 2.3.3-1 installs ImageMagick 7.0.7-27.  This
>> version is subject to multiple buffer overflows (stack and heap) and
>> several other vulnerabilities, allowing remote code execution if the user
>> opens a LyX document incorporating a specially-crafted image.
>>
>> Solution:  Upgrade to ImageMagick 7.0.8-56 or newer in the LyX installer
>> package.
> This is unfortunate consequence of windows packaging and it is true in long term
> that all bugs which are discovered in supporting packages (e.g. imagemagick/
> ghostscript) won't be quickly fixed. We unf do not have manpower to issue new
> installer just after next security bug appears in those packages.
>
> The good news is that 2.3.4 should be released rather soon with hopefully
> updated IM.

I will figure out how to update IM when we release 2.3.4. It's largely
because I haven't had time to do that that I haven't done it.

Riki




More information about the lyx-devel mailing list