Re: Security problem: lilypond-invoke-editor

[J Martin Rushton]

On 23/11/17 09:23, David Kastrup wrote:
> Knut Petersen <address@hidden> writes:
> 
>> 12 years ago a security problem was introduced into lilypond-invoke-editor.
>> On 2017/11/15 the problem was reported to the bug-lilypond mailing
>> list by Gabriel Corona.
> 
> [...]
> 
>> If you do not know if you are affected:
>>
>> 1.: locate lilypond-invoke-editor
>>
>> 2. Open lilypond-invoke-editor in your favorite text editor. Search for
>>
>>        (if (is-textedit-uri? uri)
>>          (run-editor uri)
>>          (run-browser uri)))))
>>
>> and replace it with
>>
>>        (if (is-textedit-uri? uri)
>>          (run-editor uri)))))
> 
> Stupid question: what does run-editor do to be inherently safer than
> run-browser, and what would prevent run-browser from doing the same?
> 
> The reason I am asking is that changing the semantics significantly
> before 2.20 is icky, yet we would not want to leave a security hole
> around we have been given notice of.
> 
> So the question is whether there would not be a sort-of trivial patchup
> of this preserving the original intent.
> 
> For the long haul, it's probably the right fix on GNU/Linux systems.  I
> just have no idea how this would affect other systems and possibly our
> installers.
> 
Just to make life hard, using "command -v lilypond-invoke-editor" turns
up a file in /usr/local/bin.  It is a symbolic link to
/usr/local/bin/lilypond-wrapper.guile.  That file is (truncating to
avoid wrapping):

#!/bin/sh
export PYTHONPATH= ...
export GUILE_LOAD_PATH= ...
export LD_LIBRARY_PATH= ...
me=`basename $0`
exec "/usr/local/lilypond/usr/bin/guile"  \
  -e main "/usr/local/lilypond/usr/bin/$me" "$@"

It is the file /usr/local/lilypond/usr/bin/lilypond-invoke-editor which
contains the statements above.

signature.asc
Description: OpenPGP digital signature