[Mageia-dev] About syslinux & libpng

Guillaume Rousse guillomovitch at gmail.com
Tue Oct 4 17:24:27 CEST 2011


Le 04/10/2011 16:50, Michael scherer a écrit :
> On Tue, Oct 04, 2011 at 11:30:29AM +0200, Buchan Milne wrote:
>> On Monday, 3 October 2011 15:58:36 Michael Scherer wrote:
>>
>>> Except if I start to replace this by "here is a nice syslinux boot image
>>> with a duck". And then my code is run by syslinux, just because someone
>>> took my png picture.
>>
>> And the same person could say, "Here is my cool plymouth splash screen, use my
>> initrd", and there are 1000 easier ways to exploit this (than trying to
>> generate a PNG image with exploit code that someone would like enough to use
>> syslinux).
>
> Sure, but we can also upload the pics on some gnome-art or something like that.
>
> Now, if we consider every possible exploit requires opening a document as a non
> problem, I guess it would surely reduce our workload on security issue, and
> for sure enhance the confidence.
Those situations are not really comparable. Opening a document with the 
corresponding application is a normal usage scenario, whereas 
configuring the boot process is a system administration scenario, 
requiring explicit context change.

> And while I was not aware of it when I wrote my mail, it already happened :
>
> MDKSA-2006:210
Nobody said it didn't happened, just than forcing build against system 
version of the library would requires more effort right now, without 
avoiding the need to also rebuild syslinux in case of vulnerability in 
libpng, as it is statically linked. It would just make easier to track 
vulnerability by having a single version, and avoid to patch twice.

-- 
Guillaume



More information about the Mageia-dev mailing list