Exploitable Windows installation Lyx 2.3.3 ImageMagick 7.0.7-27
Richard Kimberly Heck
rikiheck at lyx.org
Sat Nov 16 18:13:53 UTC 2019
On 11/15/19 12:27 PM, Pavel Sanda wrote:
> On Fri, Nov 15, 2019 at 10:29:37AM -0500, John wrote:
>> Lyx for Windows installer 2.3.3-1 installs ImageMagick 7.0.7-27. This
>> version is subject to multiple buffer overflows (stack and heap) and
>> several other vulnerabilities, allowing remote code execution if the user
>> opens a LyX document incorporating a specially-crafted image.
>> Solution: Upgrade to ImageMagick 7.0.8-56 or newer in the LyX installer
> This is unfortunate consequence of windows packaging and it is true in long term
> that all bugs which are discovered in supporting packages (e.g. imagemagick/
> ghostscript) won't be quickly fixed. We unf do not have manpower to issue new
> installer just after next security bug appears in those packages.
> The good news is that 2.3.4 should be released rather soon with hopefully
> updated IM.
I will figure out how to update IM when we release 2.3.4. It's largely
because I haven't had time to do that that I haven't done it.
More information about the lyx-devel