Re: Security problem: lilypond-invoke-editor

2017-11-23 Thread Stanton Sanderson
Is this Windows-specific or is there a potential threat for other platforms? Stan > On Nov 23, 2017, at 6:42 AM, David Kastrup wrote: > > Knut Petersen writes: > >> Am 23.11.2017 um 10:23 schrieb David Kastrup: >>> Stupid question: what does run-editor do to be inherently safer than >>> run-b

Re: Security problem: lilypond-invoke-editor

2017-11-23 Thread David Wright
On Thu 23 Nov 2017 at 10:27:36 (+), J Martin Rushton wrote: > On 23/11/17 09:23, David Kastrup wrote: > > Knut Petersen writes: > > > >> 12 years ago a security problem was introduced into lilypond-invoke-editor. > >> On 2017/11/15 the problem was reported to the bug-lilypond mailing > >> lis

Re: Security problem: lilypond-invoke-editor

2017-11-23 Thread Knut Petersen
Am 23.11.2017 um 17:53 schrieb Stanton Sanderson: Is this Windows-specific or is there a potential threat for other platforms? It definitely affects linux systems. I suspect that also Windows/Mac systems are affected, but I cannot verify that. Knut __

Re: Security problem: lilypond-invoke-editor

2017-11-23 Thread David Kastrup
Knut Petersen writes: > Am 23.11.2017 um 10:23 schrieb David Kastrup: >> Stupid question: what does run-editor do to be inherently safer than >> run-browser, and what would prevent run-browser from doing the same? > > Your suspicion is correct. Also textedit URIs are vulnerable to a very > simila

Re: Security problem: lilypond-invoke-editor

2017-11-23 Thread Knut Petersen
Am 23.11.2017 um 10:23 schrieb David Kastrup: Stupid question: what does run-editor do to be inherently safer than run-browser, and what would prevent run-browser from doing the same? Your suspicion is correct. Also textedit URIs are vulnerable to a very similar attack. So EVERYBODY should co

Re: Security problem: lilypond-invoke-editor

2017-11-23 Thread Blöchl Bernhard
Is this the well documented Windows URI security flaw dicussed about 2007? https://www.networkworld.com/article/2286774/lan-wan/microsoft-to-fix-uri-security-flaw-after-criticism.html https://blog.mozilla.org/security/2007/07/23/related-security-issue-in-url-protocol-handling-on-windows/ htt

Re: Security problem: lilypond-invoke-editor

2017-11-23 Thread J Martin Rushton
On 23/11/17 09:23, David Kastrup wrote: > Knut Petersen writes: > >> 12 years ago a security problem was introduced into lilypond-invoke-editor. >> On 2017/11/15 the problem was reported to the bug-lilypond mailing >> list by Gabriel Corona. > > [...] > >> If you do not know if you are affected

Re: Security problem: lilypond-invoke-editor

2017-11-23 Thread David Kastrup
Knut Petersen writes: > 12 years ago a security problem was introduced into lilypond-invoke-editor. > On 2017/11/15 the problem was reported to the bug-lilypond mailing > list by Gabriel Corona. [...] > If you do not know if you are affected: > > 1.: locate lilypond-invoke-editor > > 2. Open li