Exploitable Windows installation Lyx 2.3.3 ImageMagick 7.0.7-27

Richard Kimberly Heck rikiheck at lyx.org
Sat Nov 16 18:13:22 UTC 2019


On 11/16/19 6:56 AM, Daniel wrote:
> On 15/11/19 18:27, Pavel Sanda wrote:
>> On Fri, Nov 15, 2019 at 10:29:37AM -0500, John wrote:
>>> Lyx for Windows installer 2.3.3-1 installs ImageMagick 7.0.7-27.  This
>>> version is subject to multiple buffer overflows (stack and heap) and
>>> several other vulnerabilities, allowing remote code execution if the
>>> user
>>> opens a LyX document incorporating a specially-crafted image.
>>>
>>> Solution:  Upgrade to ImageMagick 7.0.8-56 or newer in the LyX
>>> installer
>>> package.
>>
>> This is unfortunate consequence of windows packaging and it is true
>> in long term
>> that all bugs which are discovered in supporting packages (e.g.
>> imagemagick/
>> ghostscript) won't be quickly fixed. We unf do not have manpower to
>> issue new
>> installer just after next security bug appears in those packages.
>>
>> The good news is that 2.3.4 should be released rather soon with
>> hopefully
>> updated IM.
>>
>>
>> What just come to my mind - couldn't some windows 10 user actually
>> try to
>> use their brand new linux subsystem, and install LyX via this system?
>> If LyX was useful enough this way, we de facto solved packaging for
>> windows
>> and could replace our installation instructions on web.
>> The security updates will simply start flow through normal distro
>> channels
>> without burdening us.
>>
>> Pavel
>
>
> Just because some users might be able to do this doesn't mean that all
> LyX users on Windows are able to. Using Linux and, in particular, via
> the Linux Subsystem isn't something that comes easy for many Windows
> users. The Linux Subsystem seems more like a tool for administrators.

Longer term, this might work. Right now, this looks pretty cutting edge.
Who knows how long the Gods of Redmond will support it. I remember a
long time ago that Apple once allowed other manufacturers to install
their OS.

Riki




More information about the lyx-devel mailing list