diff options
| author | Nicolas Vigier <boklm@mageia.org> | 2013-04-14 13:46:12 +0000 |
|---|---|---|
| committer | Nicolas Vigier <boklm@mageia.org> | 2013-04-14 13:46:12 +0000 |
| commit | 1be510f9529cb082f802408b472a77d074b394c0 (patch) | |
| tree | b175f9d5fcb107576dabc768e7bd04d4a3e491a0 /zarb-ml/mageia-dev/2011-October/008619.html | |
| parent | fa5098cf210b23ab4f419913e28af7b1b07dafb2 (diff) | |
| download | archives-master.tar archives-master.tar.gz archives-master.tar.bz2 archives-master.tar.xz archives-master.zip | |
Diffstat (limited to 'zarb-ml/mageia-dev/2011-October/008619.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2011-October/008619.html | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2011-October/008619.html b/zarb-ml/mageia-dev/2011-October/008619.html new file mode 100644 index 000000000..9421b1832 --- /dev/null +++ b/zarb-ml/mageia-dev/2011-October/008619.html @@ -0,0 +1,111 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] About syslinux & libpng + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20About%20syslinux%20%26%20libpng&In-Reply-To=%3C201110041130.32520.bgmilne%40staff.telkomsa.net%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="008613.html"> + <LINK REL="Next" HREF="008620.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] About syslinux & libpng</H1> + <B>Buchan Milne</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20About%20syslinux%20%26%20libpng&In-Reply-To=%3C201110041130.32520.bgmilne%40staff.telkomsa.net%3E" + TITLE="[Mageia-dev] About syslinux & libpng">bgmilne at staff.telkomsa.net + </A><BR> + <I>Tue Oct 4 11:30:29 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="008613.html">[Mageia-dev] About syslinux & libpng +</A></li> + <LI>Next message: <A HREF="008620.html">[Mageia-dev] About syslinux & libpng +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#8619">[ date ]</a> + <a href="thread.html#8619">[ thread ]</a> + <a href="subject.html#8619">[ subject ]</a> + <a href="author.html#8619">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Monday, 3 October 2011 15:58:36 Michael Scherer wrote: + +><i> Except if I start to replace this by "here is a nice syslinux boot image +</I>><i> with a duck". And then my code is run by syslinux, just because someone +</I>><i> took my png picture. +</I> +And the same person could say, "Here is my cool plymouth splash screen, use my +initrd", and there are 1000 easier ways to exploit this (than trying to +generate a PNG image with exploit code that someone would like enough to use +syslinux). + +<troll> +Maybe we need to adopt secure UEFI, and sign our kernels and initial ram disks +... +</troll> + +><i> So no, bundling is not without causing trouble. +</I>><i> +</I>><i> > So if we take this road of removing bootloader's libs, shall we also +</I>><i> > remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too +</I>><i> > ? +</I>><i> > +</I>><i> > I do understand the need for the application that runs under linux... +</I>><i> > but about the bootloaders... +</I>><i> +</I>><i> Unless I am wrong, a bootloader run on ring 0 or can even ( like xen ) +</I>><i> be used to run the kernel in a specific separate memory space ( ie, +</I>><i> virtualisation ). This could open a whole new range of problem ( like +</I>><i> the Blue Pill concept code published 5 years ago by Joanna Rutkowska ) +</I>><i> +</I>><i> So I think that bootloader requires more consideration than regular +</I>><i> application. +</I>><i> +</I>><i> > What's your thoughts about it ? +</I>><i> > Would you agree on keep syslinux untouched regarding the png lib ? +</I>><i> +</I>><i> For reasons explained before, I would rather disagree. +</I> +But, users foolish enough to be tricked into booting malicious code can't +really be helped. + +I think it would be better if syslinux was compatible with current upstream +libpng, so, if: +1)There is an upstream bug filed regarding support for current libpng +2)We have a registry of software building statically or with internal copies +of libraries, and syslinux is added with a reference to the upstream bug + +then I think it is reasonable to build syslinux with internal libpng. Unless +you are going to mitigate *all* other attack vectors based on 'here, boot my +random binaries on your system'. + +Regards, +Buchan +</PRE> + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="008613.html">[Mageia-dev] About syslinux & libpng +</A></li> + <LI>Next message: <A HREF="008620.html">[Mageia-dev] About syslinux & libpng +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#8619">[ date ]</a> + <a href="thread.html#8619">[ thread ]</a> + <a href="subject.html#8619">[ subject ]</a> + <a href="author.html#8619">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |