Page MenuHomePhabricator
Create Task
Maniphest T257091

Re-enable the Score extension in safe mode
Closed, ResolvedPublicSecurity
Actions

Description

Follows-up:

This task:

  • Await completion of security audit at T257090.
  • Address any incident follow-ups (see sub tasks - on remaining open?).
  • Address any issues from the security audit.
  • Determine whether the Firejail config that MW generates for Score is sufficient. Make any tweaks as needed. For example, do the limits for walltime, memory, and filesize work as expected and do they need tuning.
  • [ ] Re-enable Score extension in safe mode if we are comfortable with that. Safe mode was removed, so this cannot happen.

Source code of Score's Shell+Firejail command:

Details

Risk Rating
Medium
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Re-enable LilyPond/Score in safe mode (3rd attempt)operations/mediawiki-configmaster+1 -5
Remove NO_EXECVE when executing gs for nowmediawiki/extensions/Scorewmf/1.36.0-wmf.2+1 -1
Remove NO_EXECVE when executing gs for nowmediawiki/extensions/Scorewmf/1.36.0-wmf.1+1 -1
Remove NO_EXECVE when executing gs for nowmediawiki/extensions/ScoreREL1_34+1 -1
Remove NO_EXECVE when executing gs for nowmediawiki/extensions/ScoreREL1_35+1 -1
Remove NO_EXECVE when executing gs for nowmediawiki/extensions/ScoreREL1_31+1 -1
Remove NO_EXECVE when executing gs for nowmediawiki/extensions/Scoremaster+1 -1
Re-enable LilyPond/Score in safe modeoperations/mediawiki-configmaster+1 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

Krinkle created this task.Jul 4 2020, 1:17 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 4 2020, 1:17 AM
Krinkle added a subtask: Restricted Task.Jul 4 2020, 1:18 AM
Krinkle added a subtask: T257062: Lilypond seemingly not subject to restrictions (CVE-2020-29007).
Krinkle added a subscriber: faidon.Jul 4 2020, 1:24 AM
  • Re-enable Score extension in safe mode if we are comfortable with that.

For the unsafe features, I suggest we file separate (public) tasks after all this is dealt with. We could also re-open the original tasks for them instead (which were closed after safe mode was disabled with T174413 in 2017).

It was mentioned by @faidon that some of the "unsafe" features seem to have nothing unsafe about them and may've been disallowed by mistake. If that is the case we could try to work with upstream to allow those by default.

I believe someo the features considered "unsafe" by upstream may've been marked that way not for security reasons but for resource/availability reasons, e.g. if they allow unbounded growth in some way. Given we run in a firejail, we would likely be fine with enabling those things. Perhaps it would make sense for LilyPond to have a new mode in-between safe and unsafe, like "advanced" or something that allows these useful advanced capabilities (with the caveat that people should only deploy that with a ulimit/firejail wrapper). But this advanced mode (unlike the "unsafe" mode) would not expose the full Scheme/Guile programming feature set with sockets, file operations, shell commands etc. We don't want to allow that from wikitext, ever, not even in a firejail.

Krinkle added a project: MediaWiki-extensions-Score.Jul 4 2020, 1:25 AM
Krinkle added a parent task: T257066: Extension:Score / Lilypond is disabled on all wikis.
Krinkle added a subscriber: Ebe123.
CDanis subscribed.Jul 4 2020, 1:39 AM

lilypond -dsafe does not fix exploits available via ghostscript, which lilypond calls without -dSAFER (which would disable opening other files, opening pipes and execing other binaries, etc.)

faidon added a comment.EditedJul 4 2020, 1:42 AM

(see T257092 for more about this)

Platonides added a subtask: Restricted Task.Jul 4 2020, 1:45 AM
Tgr subscribed.Jul 5 2020, 3:00 PM
Platonides subscribed.Jul 5 2020, 9:03 PM
Reedy changed the task status from Open to Stalled.Jul 6 2020, 3:29 PM
Reedy subscribed.

Marking as stalled as various things to be considered and potentially implemented before this can be done

Reedy moved this task from Incoming to Waiting on the Security-Team board.Jul 13 2020, 3:13 PM
tstarling closed this task as Resolved.Jul 29 2020, 2:34 AM
tstarling claimed this task.
tstarling added a comment.Jul 29 2020, 11:38 AM

I did null edits on all the pages in https://en.wikisource.org/wiki/Category:Pages_with_score_rendering_errors , and now there are none left. Then I did null edits on all the main namespace pages in https://en.wikipedia.org/wiki/Category:Pages_with_score_rendering_errors , which left only two. I fixed Prelude and Fugue in E minor, BWV 855 and submitted https://gitlab.com/lilypond/lilypond/-/merge_requests/287 for it. First call is a more difficult case -- I just removed the staff size override since it's hard to support and it doesn't really need to be there.

So first impressions are that safe mode is not as bad as I thought it would be.

tstarling reopened this task as Open.Jul 31 2020, 12:48 AM

Disabled again.

tstarling closed subtask Restricted Task as Resolved.Aug 4 2020, 5:54 AM
wkandek subscribed.Aug 4 2020, 6:16 AM
tstarling closed this task as Resolved.Aug 4 2020, 8:39 AM

Enabled again.

tstarling reopened subtask Restricted Task as Open.Aug 12 2020, 6:53 AM
Joe reopened this task as Open.Aug 13 2020, 1:01 PM
Joe subscribed.

And disabled again.

kaldari mentioned this in T257066: Extension:Score / Lilypond is disabled on all wikis.Aug 28 2020, 1:38 AM
Samwilson mentioned this in T259208: PDF export should render music scores natively, i.e. not as images.Aug 28 2020, 6:16 AM
kaldari added a subtask: T259210: LilyPond safe mode escape due to output-def-lookup and output-def-scope (CVE-2020-17354).Oct 21 2020, 5:17 PM
Urbanecm subscribed.Nov 15 2020, 4:09 PM

@tstarling Given you are currently assigned to this task: Is there any work currently being done on this? Asking in context of ankry's comment at T257066#6622631.

Krinkle unsubscribed.Nov 16 2020, 6:57 AM
Legoktm closed subtask T257207: Document MW Firejail config/profile as Resolved.Jan 13 2021, 9:43 PM
Aklapper added a parent task: T259208: PDF export should render music scores natively, i.e. not as images.Feb 19 2021, 8:41 AM
sbassett triaged this task as Medium priority.Aug 4 2021, 7:10 PM
sbassett moved this task from Waiting to Watching on the Security-Team board.
sbassett changed Risk Rating from N/A to Medium.
Legoktm closed this task as Resolved.Aug 20 2021, 9:47 PM
Legoktm subscribed.

A security audit and risk exercise was conducted of Score+Shellbox. The LilyPond security audit is incomplete/still in progress, but we've decided that OK if LilyPond still has safe mode escapes.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 20 2021, 9:48 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".
Legoktm closed subtask T257062: Lilypond seemingly not subject to restrictions (CVE-2020-29007) as Resolved.Aug 20 2021, 9:50 PM
sbassett closed subtask Restricted Task as Declined.Mar 22 2022, 5:04 PM
sbassett changed the status of subtask T259210: LilyPond safe mode escape due to output-def-lookup and output-def-scope (CVE-2020-17354) from Open to Stalled.Jul 6 2022, 6:07 PM
Bugreporter closed subtask T259210: LilyPond safe mode escape due to output-def-lookup and output-def-scope (CVE-2020-17354) as Declined.Tue, Jun 9, 1:52 AM
sbassett updated the task description. (Show Details)Tue, Jun 9, 2:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits