Hello, I’m the maintainer of the Score extension. There is also https://nvd.nist.gov/vuln/detail/CVE-2020-17353 <https://nvd.nist.gov/vuln/detail/CVE-2020-17353> which affects LilyPond through PostScript code injection. We’ve also done a security audit. I’ve CC’d Tim Starling who performed the audit to this thread, and he’s be in a better position to responsibly disclose problems.
We hope to get LilyPond back on the Wikis, and that vulnerabilities get fixed well for a safer LilyPond! Étienne > Le 15 oct. 2020 à 19:05, Carl Sorensen <c_soren...@byu.edu> a écrit : > > Unfortunately, there's not enough information on that thread to understand > what the issues are. > > I know that in the past there have been significant security concerns which > had a core concern related to Guile programming, since Guile is a > turing-complete language. > > I don't know how we can contribute until we are made aware of the challenges > here. > > Carl > > > On 10/15/20, 4:14 PM, "lilypond-devel on behalf of Daniel Benjamin Miller" > <lilypond-devel-bounces+carl.d.sorensen+digest=gmail....@gnu.org on behalf of > dbmil...@dbmiller.org> wrote: > > Not of direct relevance to us as end users, but can someone shed light > on this and/or resolve the concern of the Wikimedia people? In the > meantime Lilypond support has been disabled on Wikipedia. > https://phabricator.wikimedia.org/T257066 > > >
