From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001
From: Nicolas Vigier <boklm@mageia.org>
Date: Sun, 14 Apr 2013 13:46:12 +0000
Subject: Add zarb MLs html archives

---
 zarb-ml/mageia-dev/2011-October/008619.html | 111 ++++++++++++++++++++++++++++
 1 file changed, 111 insertions(+)
 create mode 100644 zarb-ml/mageia-dev/2011-October/008619.html

(limited to 'zarb-ml/mageia-dev/2011-October/008619.html')

diff --git a/zarb-ml/mageia-dev/2011-October/008619.html b/zarb-ml/mageia-dev/2011-October/008619.html
new file mode 100644
index 000000000..9421b1832
--- /dev/null
+++ b/zarb-ml/mageia-dev/2011-October/008619.html
@@ -0,0 +1,111 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [Mageia-dev] About syslinux &amp; libpng
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20About%20syslinux%20%26%20libpng&In-Reply-To=%3C201110041130.32520.bgmilne%40staff.telkomsa.net%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="008613.html">
+   <LINK REL="Next"  HREF="008620.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[Mageia-dev] About syslinux &amp; libpng</H1>
+    <B>Buchan Milne</B> 
+    <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20About%20syslinux%20%26%20libpng&In-Reply-To=%3C201110041130.32520.bgmilne%40staff.telkomsa.net%3E"
+       TITLE="[Mageia-dev] About syslinux &amp; libpng">bgmilne at staff.telkomsa.net
+       </A><BR>
+    <I>Tue Oct  4 11:30:29 CEST 2011</I>
+    <P><UL>
+        <LI>Previous message: <A HREF="008613.html">[Mageia-dev] About syslinux &amp; libpng
+</A></li>
+        <LI>Next message: <A HREF="008620.html">[Mageia-dev] About syslinux &amp; libpng
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#8619">[ date ]</a>
+              <a href="thread.html#8619">[ thread ]</a>
+              <a href="subject.html#8619">[ subject ]</a>
+              <a href="author.html#8619">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>On Monday, 3 October 2011 15:58:36 Michael Scherer wrote:
+
+&gt;<i> Except if I start to replace this by &quot;here is a nice syslinux boot image
+</I>&gt;<i> with a duck&quot;. And then my code is run by syslinux, just because someone
+</I>&gt;<i> took my png picture.
+</I>
+And the same person could say, &quot;Here is my cool plymouth splash screen, use my 
+initrd&quot;, and there are 1000 easier ways to exploit this (than trying to 
+generate a PNG image with exploit code that someone would like enough to use 
+syslinux).
+
+&lt;troll&gt;
+Maybe we need to adopt secure UEFI, and sign our kernels and initial ram disks 
+...
+&lt;/troll&gt;
+
+&gt;<i> So no, bundling is not without causing trouble.
+</I>&gt;<i> 
+</I>&gt;<i> &gt; So if we take this road of removing bootloader's libs, shall we also
+</I>&gt;<i> &gt; remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too
+</I>&gt;<i> &gt; ?
+</I>&gt;<i> &gt; 
+</I>&gt;<i> &gt; I do understand the need for the application that runs under linux...
+</I>&gt;<i> &gt; but about the bootloaders...
+</I>&gt;<i> 
+</I>&gt;<i> Unless I am wrong, a bootloader run on ring 0 or can even ( like xen )
+</I>&gt;<i> be used to run the kernel in a specific separate memory space ( ie,
+</I>&gt;<i> virtualisation ). This could open a whole new range of problem ( like
+</I>&gt;<i> the Blue Pill concept code published 5 years ago by Joanna Rutkowska )
+</I>&gt;<i> 
+</I>&gt;<i> So I think that bootloader requires more consideration than regular
+</I>&gt;<i> application.
+</I>&gt;<i> 
+</I>&gt;<i> &gt; What's your thoughts about it ?
+</I>&gt;<i> &gt; Would you agree on keep syslinux untouched regarding the png lib ?
+</I>&gt;<i> 
+</I>&gt;<i> For reasons explained before, I would rather disagree.
+</I>
+But, users foolish enough to be tricked into booting malicious code can't 
+really be helped.
+
+I think it would be better if syslinux was compatible with current upstream 
+libpng, so, if:
+1)There is an upstream bug filed regarding support for current libpng
+2)We have a registry of software building statically or with internal copies 
+of libraries, and syslinux is added with a reference to the upstream bug
+
+then I think it is reasonable to build syslinux with internal libpng. Unless 
+you are going to mitigate *all* other attack vectors based on 'here, boot my 
+random binaries on your system'.
+
+Regards,
+Buchan
+</PRE>
+
+
+
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message: <A HREF="008613.html">[Mageia-dev] About syslinux &amp; libpng
+</A></li>
+	<LI>Next message: <A HREF="008620.html">[Mageia-dev] About syslinux &amp; libpng
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#8619">[ date ]</a>
+              <a href="thread.html#8619">[ thread ]</a>
+              <a href="subject.html#8619">[ subject ]</a>
+              <a href="author.html#8619">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
+mailing list</a><br>
+</body></html>
-- 
cgit v1.2.1