Extension:Score/2021 security advisory

In July 2020, Wikimedia disabled usage of the Score extension following a security report from Maciej Miszczyk that it was possible to gain remote code execution through LilyPond. LilyPond was supposed to be contained via firejail, however that containment wasn't enabled because of a configuration error. When it was properly enabled, a bypass was found, plus a remote code execution vulnerability was found in firejail too. Further bypasses of LilyPond's safe mode were found during code audits.

In summary, the following security issues were discovered:


 * CVE-2020-29007, MediaWiki Score allows executing arbitrary Scheme code
 * CVE-2020-17353, LilyPond allows arbitrary PostScript and does not use -dSAFER
 * Mitigated in Score by having MediaWiki run Ghostscript directly instead of relying on Lilypond, see gerrit:615594.
 * Upstream fix
 * CVE-2020-17367, CVE-2020-17368: Vulnerabilities in firejail due to --output
 * Mitigated in MediaWiki by disallowing usage of parameters named --output, see 629729.
 * Upstream fixes included in 0.9.62.2
 * CVE-2020-17354: LilyPond safe mode escape due to output-def-lookup and output-def-scope (and another issue using different functions)
 * T260225: not yet publicly disclosed, no CVE assigned yet

T257062 and its subtasks was where most coordination and discussion happened. Some more discussion about improving LilyPond's security took place on the lilypond-devel mailing list and in private email.

Re-enabling Score
Now in August 2021, Wikimedia has re-enabled Score after isolating LilyPond and other external binaries using Shellbox.

On non-Wikimedia wikis: It is recommended to only enable Score and LilyPond on your wiki if you absolutely trust everyone who has editing privileges, or if you use Shellbox. Even with "safe mode" enabled, it is not safe to allow LilyPond to process arbitrary input without containment. Ensure you're using a recent version of LilyPond (2.22.0+) or a distribution package (e.g. from Debian) that contains the security fixes. All fixes have been backported to the REL1_36 branch of Score and can be downloaded from Git or the ExtensionDistributor.

Furthermore, it's recommended to keep safe mode enabled, even with containment as an extra layer of defense. We believe Shellbox provides robust sandboxing, but no software is ever perfect, and there will always be the possibility of Kernel/Kubernetes/Docker/etc. bugs that allow for escaping the sandbox. Combined safe mode and Shellbox should make it more difficult for an attacker to exploit a bug in either.

Certain functionality will not work in safe mode, the fix for that is to modify LilyPond to allow that functionality in safe mode. Bugs can be filed in the Score Phabricator project or directly in the upstream LilyPond bug tracker.

The Wikimedia Foundation is looking to fund someone to contribute upstream to LilyPond to improve safe mode. If you're interested, please contact Tim Starling.